Privacy Policy for Mopac Software

1. Introduction

Mopac Software ("Mopac," "Company," "we," "us," or "our") operates the Mopac Software application (the "Service"). This Privacy Policy describes how we collect, use, disclose, and safeguard your information when you use our Service.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

2. Information We Collect

A. Information You Provide

We collect information that you voluntarily provide to us when you:

• Register for an account (e.g., name, email address, company name)
• Connect your third-party advertising accounts (e.g., Google Ads)
• Use the Service to manage your advertising campaigns
• Contact us for support or provide feedback

B. Automatically Collected Information

When you use the Service, we automatically collect certain information, including:

• Usage Data: Information about how you interact with the Service, such as features used, actions taken, and time spent
• Device Information: Information about your device, browser type, operating system, and IP address
• Log Data: Server logs that may include IP addresses, access times, and referring URLs

C. Third-Party Advertising Account Data

With your authorization, we access data from your third-party advertising accounts (such as Google Ads) via their APIs. This includes campaign structure, ad copy, performance metrics, and other information necessary to provide the Service. We cache this data in our systems to render the Service quickly and to power features like top-performer matching.

D. Analytics, Advertising, and Payments Cookies

We use Google Analytics 4, the Meta (Facebook) Pixel, and PostHog to understand how visitors find and use the Service and to measure the effectiveness of our advertising. These tools set first-party cookies (for example _ga and _ga_* for Google Analytics, _fbp for the Meta Pixel where it is loaded, and ph_* for PostHog) and similar identifiers that record anonymous identifiers, page views, referral sources, and conversion events. We pass your Mopac user ID to these services after sign-in so we can attribute conversions; we do not pass your email or other directly identifying information to Google Analytics or the Meta Pixel.

Our payment processor (Stripe) sets fraud-prevention cookies on every page of the Service (such as __stripe_mid and __stripe_sid). These are used to detect bots, prevent payment fraud, and remember your session through checkout. They are necessary for the Service to function and are not used for advertising.

We also use PostHog as a product-analytics processor to understand how signed-in users interact with the Service after authentication. PostHog records page views, click events, and a session replay of in-product behavior so we can identify usability issues and prioritize improvements. Session replays mask all text inputs and rendered text by default; ad copy, account names, billing fields, passwords, and other free-text content are replaced with placeholders before leaving your browser. After you sign in, we pass your Mopac user ID, email address, and account name to PostHog so we can identify a session when responding to a support request. You may opt out of PostHog and the other trackers above on the Your Privacy Choices page, by enabling Global Privacy Control in your browser, or by emailing us to request a permanent opt-out tied to your account.

In addition to the in-product opt-out described above, visitors may opt out of Google Analytics by installing the Google Analytics opt-out browser add-on or opt out of Meta's ad personalization in their Meta ad preferences.

E. AI and Large-Language-Model Processing

Some features of the Service — including AI variant generation in Copy Refresh and top-performer matching — process your ad copy and related campaign data through large language models (LLMs) and embedding models hosted by third-party providers, currently OpenRouter and the upstream model providers it routes to (such as OpenAI). We send only the text and metrics required to fulfill the request you made through the Service.

We do not authorize these providers to use your data to train their models. We do not share Google user data with any LLM provider for advertising purposes. Outputs (generated variants, embeddings, summaries) are stored in our systems and tied to your account so you can reference them; they are deleted when you delete your account, on the timeline described in Section 6.

3. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the Service
• Process your requests and manage your advertising campaigns
• Communicate with you about the Service, updates, and support
• Analyze usage patterns and optimize Service performance
• Detect, prevent, and address technical issues or fraudulent activity
• Comply with legal obligations and enforce our Terms of Service

4. Data Sharing and Disclosure

A. Subprocessors and Service Providers

We share information with third-party service providers (subprocessors) who perform services on our behalf, including hosting, infrastructure, analytics, AI inference, and customer support. These providers are contractually obligated to protect your information and use it only for the purposes we specify. Our current categories of subprocessors include:

• Cloud infrastructure and hosting: Google Cloud Platform (Cloud Run, Cloud SQL, Secret Manager) and Firebase (Authentication, Firestore, Hosting).
• Database and search: MongoDB Atlas (vector search for top-performer matching).
• Payments: Stripe (subscription billing and invoicing).
• AI / LLM inference: OpenRouter and the upstream model providers it routes to (such as OpenAI), as described in Section 2E.
• Analytics and product telemetry: Google Analytics 4, Meta Pixel, and PostHog, as described in Section 2D.

Business customers subject to GDPR, CCPA, or similar laws may request a Data Processing Addendum (DPA) by emailing support@mopacsoftware.com.

B. Advertising Platforms

We interact with third-party advertising platforms (e.g., Google Ads) on your behalf, using their APIs to read and update your campaign data as directed by you through the Service.

C. Legal Requirements

We may disclose your information if required to do so by law or in response to valid requests by public authorities (e.g., a court or government agency).

D. Business Transfers

In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity, subject to the same privacy protections.

E. We Do Not Sell Personal Information for Money

Mopac does not sell personal information for money to anyone. Mopac is not a data broker. Some uses of analytics and ad-network cookies described in Section 2D may qualify as "sharing" under California's CPRA; you can opt out at any time on the Your Privacy Choices page.

5. Data Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Employee training on data protection practices

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6. Data Retention

We retain your information for as long as your account is active and as needed to provide the Service. When you request deletion of your account, we complete deletion of your personal data, organization data, cached advertising data, and AI-related artifacts (such as embeddings and top-performer summaries) across our active systems within 30 days. Residual data in encrypted backups is purged within an additional 90 days. We may retain a limited record of the deletion request itself, plus financial records, as required by law.

7. Your Rights and Choices

A. Access and Correction

You have the right to access and update your account information through the Service or by contacting us at support@mopacsoftware.com.

B. Data Deletion

You may request deletion of your account from Settings → Profile or by emailing us. Deletion completes across our systems within 30 days, on the timeline described in Section 6. Some information may be retained as required by law or for legitimate business purposes (e.g., financial records).

C. Third-Party Account Access

You can revoke the Service's access to your third-party advertising accounts at any time through the respective platform's settings (e.g., Google Account permissions at myaccount.google.com/permissions).

D. Communication Preferences

You may opt out of receiving promotional communications from us by following the unsubscribe instructions in those communications or by contacting us. However, we may still send you service-related messages.

8. US State Privacy Rights (California, Texas, Virginia, Colorado, Connecticut, Utah, Oregon, and others)

If you are a resident of a US state with a comprehensive privacy law — including California (CCPA/CPRA), Texas (TDPSA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Oregon (OCPA) — you have the following rights, regardless of which state you live in:

• Right to know / access: request a copy of the personal information we hold about you and the categories of sources, purposes, and recipients of that information.
• Right to delete: request deletion of your personal information, on the timeline described in Section 6.
• Right to correct: request correction of inaccurate personal information.
• Right to opt out of sale/sharing: opt out of any "sale" or "sharing" of personal information for cross-context behavioral advertising. Use the Your Privacy Choices page or send a Global Privacy Control (GPC) signal from your browser; we honor both.
• Right to limit use of sensitive personal information: Mopac does not knowingly collect or process sensitive personal information beyond what is necessary to provide the Service.
• Right to non-discrimination: we will not deny you the Service, charge a different price, or provide a different level of quality because you exercised a privacy right.

How to exercise your rights: use the in-product Settings, the Your Privacy Choices page, or email support@mopacsoftware.com. We may need to verify your identity before responding to a request. If we deny your request, you have the right to appeal by replying to our denial email.

California-specific notice: in the preceding 12 months we have collected the categories of personal information described in Section 2 (identifiers, commercial information, internet activity, and inferences derived from the foregoing) for the business purposes described in Section 3. We have not sold personal information for money. We have "shared" identifiers and internet activity with the analytics and ad-network providers listed in Section 2D for cross-context behavioral advertising; the Your Privacy Choices page is the opt-out mechanism required by Cal. Civ. Code §1798.135.

9. Compliance with Google API Services User Data Policy

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide and improve the user-facing features of the Service.
• We do not transfer Google user data to third parties except (a) to the subprocessors listed in Section 4A as necessary to provide the Service, (b) to comply with applicable law, or (c) as part of a merger or acquisition with appropriate notice.
• We do not use Google user data for serving advertisements.
• We do not allow humans to read Google user data unless we have your affirmative agreement, it is necessary for security purposes, or it is required to comply with applicable law.
• We do not use Google user data to train, fine-tune, or improve generalized AI or machine-learning models. LLM and embedding providers we use (Section 2E) operate under terms that prohibit training on customer data.

10. International Users and Data Transfers

The Service is offered from the United States and is primarily intended for US customers. We do not actively market the Service in the European Union, the United Kingdom, the European Economic Area, or Switzerland.

If you choose to use the Service from outside the United States, you understand that your information will be transferred to and processed in the United States. Where applicable, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum as the legal basis for such transfers, and we apply equivalent safeguards regardless of jurisdiction.

11. Children's Privacy

The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.

13. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at: