Privacy Policy
Last updated: April 22, 2026
1. Introduction
This Privacy Policy describes how Advocacy Holdings, Inc. (“Company,” “we,” “us”), operating One Click Campaign Studio (“OCCS,” “the Service”), collects, uses, stores, and shares personal information when you use our platform. By using the Service, you consent to the practices described in this policy.
Advocacy Holdings, Inc.
1717 Pennsylvania Avenue NW, Suite 1025
Washington, DC 20006
2. Information we collect
Account information: Name, email address, password (hashed, never stored in plaintext), job title, organization name, and profile photo.
Billing information: Payment card details are collected and processed directly by Stripe. We do not store card numbers, CVVs, or full card details on our servers. We store Stripe customer IDs and subscription status.
Content you create: Campaigns, campaign branches, assets (images, video, audio, text), contact lists, email/SMS broadcasts, scheduled posts, sales videos, sequences, and any AI-generated content.
Contact data you upload: Names, email addresses, phone numbers, and other fields you import via CSV, Google Sheets, or manual entry. You are the data controller for this information.
Connected accounts: When you connect social media accounts (Facebook, Instagram, Google/YouTube, X/Twitter, TikTok), we store OAuth access tokens (encrypted at rest) and account metadata. We do not store your social media passwords.
Usage data: Pages visited, features used, AI generation events (provider, function, cost, timestamp), and performance metrics. This data is used to operate and improve the Service.
Device and log data: IP address, browser type, operating system, and request timestamps collected automatically via server logs.
3. How we use your information
- Provide the Service: Authenticate your account, manage workspaces, generate content, publish campaigns, send broadcasts, and process billing.
- AI content generation: Your brand profile, campaign briefs, and product details are sent to AI providers (OpenAI, Replicate, ElevenLabs) to generate text, images, video, and audio. These providers process the data under their own terms and data processing agreements.
- Social media publishing: Your content and connected-account credentials are used to publish posts to the platforms you authorize.
- Email and SMS delivery: Your contact lists and message content are transmitted to SendGrid (email) and Twilio (SMS) for delivery.
- Billing: Subscription and usage data is shared with Stripe to process payments and generate invoices.
- Communication: We send transactional emails (account confirmation, password reset, team invitations, action-item notifications) via SendGrid.
- Improvement: Aggregated, anonymized usage data helps us improve the Service. We do not train AI models on your content.
- Legal compliance: We may process data as required by law, regulation, or legal process.
4. Subprocessors
We share personal data with the following categories of third-party processors, each of which processes data only as necessary to provide their service:
| Provider | Purpose | Data shared |
|---|---|---|
| Stripe | Payment processing | Email, billing info, subscription data |
| Twilio | SMS delivery | Phone numbers, message content |
| SendGrid | Email delivery | Email addresses, message content |
| OpenAI | Text generation | Prompts containing brand/campaign context |
| Replicate | Image/video generation | Text prompts |
| ElevenLabs | Voice narration | Script text |
| Render | Hosting infrastructure | All application data (encrypted at rest) |
| Sentry | Error monitoring | Error context (no PII transmitted) |
| Meta / Google / X / TikTok | Social publishing | Post content, media, account tokens |
5. Data security
We protect your data with:
- Encryption in transit (TLS/HTTPS enforced on all connections)
- Encryption at rest for sensitive fields (OAuth tokens, S3 credentials) via Active Record Encryption
- Passwords hashed with bcrypt (12 cost factor)
- Content Security Policy headers to prevent cross-site scripting
- SSRF protection on all outbound HTTP requests
- Rate limiting on authentication and public endpoints
- Role-based access controls with Pundit authorization policies
- Audit logging for administrative actions (impersonation, key rotation)
No system is 100% secure. We will notify affected users promptly in the event of a data breach as required by applicable law.
6. Data retention
Active accounts: We retain your data for the duration of your account plus 30 days after cancellation to allow for reactivation.
After deletion request: We delete or anonymize your personal data within 30 days of a verified deletion request, except where retention is required by law (e.g., billing records for tax purposes, which are retained for 7 years).
AI usage logs: AI generation event metadata (provider, function, cost, timestamp) is retained for 12 months for billing reconciliation and then anonymized.
Server logs: IP addresses and request logs are retained for 90 days for security and debugging purposes.
7. Cookies and tracking
Essential cookies: We use session cookies and CSRF tokens required for the Service to function. These cannot be disabled.
Analytics: We do not currently use third-party analytics cookies. If we add analytics tracking in the future, we will update this policy and obtain consent where required.
Do Not Track: We honor Do Not Track browser signals.
8. Your rights
Depending on your jurisdiction, you may have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your data (“right to be forgotten”)
- Export: Request a machine-readable export of your data
- Restriction: Request that we limit processing of your data
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact privacy@1clickcampaign.com. We will respond within 30 days.
9. California residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to know what personal information we collect and how it is used
- Right to delete personal information
- Right to opt out of the “sale” of personal information — we do not sell your personal information
- Right to non-discrimination for exercising your privacy rights
10. European residents (GDPR)
If you are in the European Economic Area (EEA) or United Kingdom, we process your data under the following legal bases:
- Contract: Processing necessary to provide the Service you signed up for
- Legitimate interest: Service improvement, security, and fraud prevention
- Consent: Where required (e.g., optional analytics, marketing communications)
- Legal obligation: Tax records, law enforcement requests
Data transfers outside the EEA are protected by Standard Contractual Clauses or equivalent safeguards. You may lodge a complaint with your local supervisory authority.
11. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If we learn that we have collected data from a child, we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 30 days before they take effect. The “Last updated” date at the top reflects the most recent revision.
13. Contact
For privacy questions or data requests:
Advocacy Holdings, Inc.
1717 Pennsylvania Avenue NW, Suite 1025
Washington, DC 20006
privacy@1clickcampaign.com