Privacy

Privacy

A short, plain-English description of what this site collects, what it doesn’t, and how I handle anything you send me during an engagement. Last updated May 2026.

What this site collects

This site uses Google Tag Manager, which loads Google Analytics. That tracks aggregate things: pages visited, referral source, country, device class, broad geography. It does not collect your name, your email, your IP address in identifiable form (IP anonymisation is on), or anything you didn’t voluntarily type into a form.

The booking calendar embedded on the free-audit page is Calendly. When you pick a time, Calendly collects whatever you put in their form: name, email, the time slot, and any notes you add. That information goes to Calendly and to me. It does not go anywhere else.

There is no newsletter signup, no remarketing pixel, no chat widget, no exit-intent popup, no behavioural ad targeting, and no third-party data broker integration. There is also no cookie banner, because the only cookies set are GTM/GA in their privacy-friendly default mode, which most jurisdictions treat as exempt from consent requirements. If your jurisdiction is stricter and you’d prefer none of it, your browser’s “block third-party cookies” setting accomplishes that without breaking the site.

What happens during a free or paid audit

If you book an audit, you give me read-only access to your Google Ads account and (optionally) a recording of your most recent agency call. Here’s what happens to that material:

  • Mutual NDA first. A standard mutual non-disclosure is signed before I see any account, recording, or report. Nothing you send me appears in a case study, blog post, or LinkedIn anecdote without your written permission. Even with permission, identifying details are anonymised.
  • Read-only. I look at the account. I do not change settings, pause campaigns, edit bids, or make “helpful tweaks” while I’m in there. The change history will reflect zero activity from me.
  • Retention. I keep audit notes, the written report I deliver, and any recordings you sent for as long as the engagement is active, plus a reasonable archive period (typically twelve months) in case you come back with follow-up questions. After that they’re deleted on request, or on a periodic sweep, whichever comes first. If you want them deleted sooner, email me.
  • Removal. When the engagement ends, your read-only account access is revoked. If you forget to revoke on your side, I’ll remind you.

The Chrome extension

The PPC Red Flag Auditor extension (linked from the self-audit page) runs entirely in your browser. It does not phone home, collect telemetry, or transmit your account data anywhere. Source code ships in the install zip; you can read it before you load the extension. activeTab permission only. The extension can only see the Google Ads tab, only while the panel is open.

The instant audit dashboard (connecting your Google Ads account)

The instant audit is different from the Chrome extension: it does send data to a backend. When you connect your account, you grant Google’s read-only Ads permission through Google’s own consent screen, and the audit runs on a server rather than in your browser. Here’s exactly what that means:

  • How the connection happens. Clicking “connect” sends your own browser to Google’s real sign-in screen as a normal page visit — you can see Google’s web address and the security padlock the entire time. There is no embedded or in-app browser window, and the whole exchange runs over an encrypted (HTTPS) connection. That follows Google’s own rules for how an app is allowed to ask for access.
  • Read-only, always. We request the Google Ads scope and use it strictly read-only (search/read queries only), plus your email address. The tool reads your campaigns and reports to run its checks; it cannot change a bid, pause a campaign, or edit a single setting. Your change history will show zero activity from it.
  • What’s stored, and how. The access Google grants (your tokens) is encrypted before it’s saved, using AES-256-GCM, a strong industry-standard cipher, so the database only ever holds scrambled text, never the raw permission. Tokens are never written to logs and never shared. The audit results (the findings you see) and the context you type in (brand terms, competitors, buyer type, budget band) are stored so the report can be shown and re-run.
  • Where it lives. On a database hosted by Supabase, reachable only by the server side of this site, never by your browser or anyone else’s.
  • It only sees what Google reports. The audit reads what’s in your Google Ads account, not what actually closed in your CRM. It’s a sharp first pass, not the last word.
  • Disconnect and delete, any time. One click on the dashboard revokes the Google permission and deletes everything stored: your tokens and your saved audit results alike. No email required; you decide what I keep.
  • No extra tracking. The dashboard doesn’t add remarketing, profiling, or any analytics beyond the site-wide aggregate measurement described at the top of this page.

How we handle Google user data

This section covers the data the instant-audit dashboard accesses through Google’s APIs, and the limits we hold ourselves to.

  • Scopes we request. https://www.googleapis.com/auth/adwords, used on a strictly read-only basis (we only run read/search queries and never create, edit, pause, or delete anything), and https://www.googleapis.com/auth/userinfo.email, to identify your account and send you your report.
  • How we use it. Your Google Ads data is used only to generate the audit report you asked for, shown in your dashboard and, if you choose, emailed to you. It is never used for advertising, never sold, and never used to build profiles or train models.
  • Who it’s shared with. No one, beyond the infrastructure needed to run the service on your behalf (Supabase for encrypted storage, and, only if you click “email me this report,” Resend to deliver that email to your own address), or where required by law.
  • Human access. No human reads your Google Ads data except with your consent, where necessary for security or to fix a problem, or where required by law.

PPC Red Flags’ use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Email

If you email langtonac300@gmail.com, that email lands in a normal inbox. I read it. I respond, or I don’t. Your email address does not enter a CRM, an automation, or a list. There is no list.

Questions or removal requests

Email langtonac300@gmail.com. Subject line “Privacy” helps it surface. I’ll respond.