Privacy Policy
Effective date: July 15, 2026
StormFunnel (“StormFunnel,” “we,” “us,” or “our”) is a service operated by exegov.ai [EXEGOV LEGAL ENTITY NAME AND REGISTERED ADDRESS — BART TO CONFIRM], its parent company. StormFunnel monitors National Weather Service (NWS) alerts and creates geo-targeted Google Ads campaigns in our customers’ own Google Ads accounts. This Privacy Policy explains what information we collect, how we use and protect it, who we share it with, and the choices you have.
StormFunnel is a business-to-business service intended for use by companies and their authorized representatives in the United States. It is not directed at children, and we do not knowingly collect information from anyone under 18.
1. Information we collect
Account information
When you create an account we collect your name, email address, company name, and password credentials (stored only in hashed form) or sign-in identifiers provided by your authentication provider.
Google Ads data (via Google OAuth)
If you connect your Google Ads account, you grant StormFunnel access through Google OAuth. In connection with that grant we receive and store:
- OAuth tokens (access and refresh tokens) that allow StormFunnel to act on your Google Ads account with the permissions you approved. Refresh tokens are encrypted at rest.
- Account and campaign data accessed through the Google Ads API: your Google Ads customer ID, account settings relevant to campaign creation, and the campaigns, ad groups, ads, keywords, and budgets that StormFunnel creates or manages for you.
- Performance data for those campaigns (impressions, clicks, cost, conversions), used to show you reporting and spend tracking inside StormFunnel.
Our handling of all data received from Google APIs is further restricted by the Limited Use disclosure in Section 4.
Service-area and weather-alert data
We collect the service areas you configure (such as ZIP codes, radii, towns, or counties) and we process public severe-weather alert data published by the National Weather Service to match alerts to your service area. Weather alerts are public data and are not personal information; your service-area configuration is treated as your business data.
Billing information
Payments are processed by Stripe, Inc. Your card number and full payment details are collected directly by Stripe and never touch StormFunnel’s servers. We receive from Stripe only limited billing metadata such as subscription status, invoice history, the last four digits of your card, and card brand and expiration, so we can display billing information to you and operate your subscription.
Usage and technical data
We collect usage analytics about how you interact with StormFunnel (pages viewed, features used, actions taken), device and browser information, IP address, and application logs and error reports. We use this to operate, secure, debug, and improve the service.
2. How we use your information
- To provide the service: monitoring weather alerts for your service area, creating and managing Google Ads campaigns you have configured, enforcing your budget guardrails, and showing you campaign and spend reporting.
- To send you service emails, such as storm-alert notifications, campaign approval requests, campaign status updates, spend notifications, and billing and account messages.
- To generate campaign and budget recommendations, including AI-assisted recommendations (see Section 6 regarding our subprocessor Anthropic).
- To process payments and manage subscriptions through Stripe.
- To secure the service, prevent abuse, debug problems, and improve features.
- To comply with legal obligations.
We do not sell your personal information, and we do not use your data for third-party advertising or cross-context behavioral advertising.
3. Legal bases and marketing
We process your information to perform our contract with you, to pursue the legitimate interests described above, with your consent where required, and to meet legal obligations. We may send you product news about StormFunnel itself; you can opt out of non-essential emails at any time using the unsubscribe link, and service-critical notifications (such as spend alerts you configured) can be managed in your notification settings.
4. Google API Services — Limited Use disclosure
StormFunnel’s use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
In particular:
- We only use data received from Google APIs to provide and improve the user-facing features of StormFunnel that you see and interact with: creating and managing the Google Ads campaigns you configure, and showing you reporting, spend tracking, and recommendations for your own account.
- We do not use data received from Google APIs to serve advertisements, including retargeting, personalized, or interest-based advertising. (StormFunnel creates campaigns in your own Google Ads account at your direction; it does not use your Google data to target ads at you or anyone else.)
- We do not sell data received from Google APIs.
- We do not transfer data received from Google APIs to third parties except as necessary to provide or improve user-facing features (via the subprocessors listed in Section 6, acting on our instructions), to comply with applicable law, or as part of a merger or acquisition with prior notice to you.
- We do not allow humans to read data received from Google APIs, except (a) with your explicit consent, (b) as necessary for security purposes such as investigating abuse, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymized for internal operations.
- We do not use data received from Google APIs to develop, improve, or train generalized artificial-intelligence or machine-learning models.
5. Storage, security, and encryption
- Data is stored with our hosting and database providers (Vercel and Neon) in the United States, encrypted in transit (TLS) and at rest.
- Google OAuth refresh tokens are additionally encrypted at rest at the application level before storage; decryption keys are managed separately from the database.
- Passwords, where used, are stored only as salted hashes.
- Access to production systems is restricted to authorized personnel on a need-to-know basis and is logged.
No method of transmission or storage is completely secure; we cannot guarantee absolute security, but we work to protect your information with industry-standard measures.
6. Sharing and subprocessors
We do not sell or rent your personal information. We share it only with service providers (subprocessors) that help us operate StormFunnel, under contracts that restrict their use of the data to providing services to us:
- Vercel — application hosting and content delivery.
- Neon — managed Postgres database hosting.
- Stripe — payment processing and subscription billing.
- SendGrid — transactional email delivery (alerts, approvals, notifications).
- Sentry — error monitoring and application diagnostics.
- Anthropic — AI-assisted campaign and budget recommendations. Data sent to Anthropic is used only to generate recommendations displayed to you and is not used by Anthropic to train its models [CONFIRM ANTHROPIC API DATA-USE / ZERO-RETENTION TERMS — BART].
We may also disclose information if required by law or legal process, to protect the rights, safety, or property of StormFunnel or others, or in connection with a merger, acquisition, or sale of assets (in which case this policy will continue to apply and we will notify you of any change of controller).
7. Data retention and deletion
- Account and configuration data is retained while your account is active and deleted or anonymized within 30 days after account deletion, except where longer retention is required by law (for example, billing records retained for tax purposes).
- Google OAuth tokens are deleted promptly when you disconnect your Google Ads account, when you delete your StormFunnel account, or when Google notifies us of revocation.
- Campaign and performance data imported from the Google Ads API is retained while your Google Ads connection is active and deleted within 30 days after disconnection or account deletion.
- Application logs and error reports are retained for up to 90 days.
[RETENTION PERIODS — LAWYER TO CONFIRM FINAL NUMBERS]
You can request deletion of your account and associated data at any time by contacting us (Section 12) or using in-app account deletion where available.
8. Revoking StormFunnel’s access to Google
You can revoke StormFunnel’s access to your Google Ads account at any time:
- In StormFunnel: use the “Disconnect Google Ads” option in your account settings. This deletes our stored tokens for your account.
- In Google: visit your Google Account security settings at myaccount.google.com/permissions and remove StormFunnel’s access.
After revocation StormFunnel can no longer create or manage campaigns in your Google Ads account. Campaigns that already exist in your Google Ads account are yours and remain under your control there.
9. Your rights
Depending on where you live, you may have the right to access, correct, download, restrict, or delete your personal information, and to object to certain processing. To exercise any of these rights, contact us at the address in Section 12. We will verify your request and respond within the time required by applicable law. We will not discriminate against you for exercising your rights.
10. California privacy rights (CCPA/CPRA)
If you are a California resident, the California Consumer Privacy Act as amended (CCPA/CPRA) gives you specific rights:
- Right to know — request the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the categories of third parties with whom it is shared.
- Right to delete — request deletion of your personal information, subject to legal exceptions.
- Right to correct — request correction of inaccurate personal information.
- Right to opt out of sale or sharing — we do not sell personal information and do not share it for cross-context behavioral advertising, so there is nothing to opt out of.
- Non-discrimination — we will not treat you differently for exercising these rights.
Categories of personal information we collect are described in Section 1 and map to the CCPA categories of identifiers, commercial information, internet activity, and professional information. We retain each category as described in Section 7. To exercise your California rights, email us at the address in Section 12; you may use an authorized agent as permitted by law.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes we will notify you by email or by a prominent notice in the app before the changes take effect, and we will update the effective date above. Your continued use of StormFunnel after the effective date constitutes acceptance of the updated policy.
12. Contact
Questions, requests, or complaints about privacy can be sent to: support@stormfunnel.com
Postal address: [EXEGOV LEGAL ENTITY NAME AND REGISTERED ADDRESS — BART TO CONFIRM]