Privacy Policy

Last updated: March 23, 2026

1. Who We Are

Xylo ("we," "us," or "our") operates the website xyloapi.dev and the Xylo REST API (collectively, the "Service"). Xylo provides a simplified API layer that enables developers and businesses to interact with Meta's Marketing API for advertising campaign management, reporting, and optimization.

Contact us at: privacy@xyloapi.dev

2. Data We Collect

2.1 Information You Provide Directly

  • Account registration data: email address used to create your Xylo account and receive your API key.
  • Organization name: derived from your email or provided during setup.

2.2 Data Obtained via Meta Platform

When you connect your Meta ad account through our OAuth flow, we access the following data from Meta's Marketing API on your behalf:

  • Ad account information: account ID, account name, currency, timezone, spend caps, and account status.
  • Campaign data: campaign names, statuses, objectives, budgets, and scheduling.
  • Ad set data: targeting parameters, bid strategies, optimization goals, and budgets.
  • Ad data: ad creative details, headlines, body text, images, links, and call-to-action settings.
  • Performance metrics: spend, impressions, clicks, CTR, CPC, CPM, reach, frequency, conversions, cost per conversion, and ROAS.
  • Audience data: custom audience names and configurations, lookalike audience parameters.
  • Page engagement data: page IDs associated with ad creatives (accessed via the pages_read_engagement permission).

2.3 Automatically Collected Data

  • API usage logs: endpoints called, response times, status codes, timestamps, and whether responses were served from cache.
  • IP addresses: collected for rate limiting and abuse prevention.

3. How We Use Your Data

We process your data for the following purposes:

  • Providing the Service: proxying your requests to Meta's Marketing API, translating data formats, caching responses for performance, and returning clean API responses to your applications and AI agents.
  • Authentication and authorization: verifying your API key, validating your connection to specific Meta ad accounts, and managing OAuth tokens.
  • Usage tracking and billing: counting API calls for plan limits and billing purposes.
  • Rate limiting and abuse prevention: enforcing per-minute request limits and preventing unauthorized access.
  • Service improvement: analyzing aggregate usage patterns to improve API reliability and performance.
  • Communication: sending transactional emails such as API key delivery and token expiration alerts.

4. Meta Platform Data Usage

Xylo uses Meta's Business Tools (Marketing API) to access your advertising data. Our use of data received from Meta APIs adheres to the Meta Platform Terms and Meta Developer Policies. Specifically:

  • We only access Meta data that you have explicitly authorized through the OAuth consent flow.
  • We do not use your advertising data for any purpose other than providing the Service to you.
  • We do not use your advertising data to build user profiles for advertising or retargeting.
  • We keep each advertiser's data separated from other advertisers' data.
  • We do not sell, license, or otherwise distribute your Meta advertising data to third parties.
  • Advertising performance data is used only to serve your API requests and is not used on an individual basis for any other purpose.

5. Data Sharing

We share your data only in the following circumstances:

  • With Meta: we send API requests to Meta's Marketing API on your behalf using your authorized access token. This is necessary to provide the Service.
  • Service providers: we use Supabase for database hosting, Vercel for web hosting, and Resend for transactional email. These providers process data on our behalf under contractual obligations.
  • Legal requirements: we may disclose data if required by law, regulation, legal process, or governmental request.

We do not sell your personal data or Meta advertising data to any third party.

6. Data Storage and Security

We implement the following security measures:

  • Token encryption: Meta OAuth access tokens are encrypted at rest using AES-256-GCM encryption. Encryption keys are stored separately from the database in environment variables.
  • API key hashing: API keys are stored as SHA-256 hashes. The plaintext key is shown to you once at creation and never stored.
  • HTTPS only: all API and web traffic is encrypted in transit via TLS.
  • Access controls: API keys are scoped to organizations, and each organization can only access its own connected ad accounts.
  • Audit logging: every API request is logged with endpoint, status code, and timing for security monitoring.

7. Data Retention

  • Account data: retained for as long as your account is active. Deleted upon account deletion request.
  • Meta OAuth tokens: encrypted tokens are retained while the connection is active (up to 60 days per token lifecycle). Expired tokens are automatically refreshed or marked as expired.
  • Cached API responses: automatically expire based on data type (5–60 minutes) and are purged after expiration.
  • Usage logs: retained for billing and analytics purposes for up to 12 months, then deleted.

8. Your Rights and Data Deletion

You have the right to:

  • Access your data: request a copy of the personal data we hold about you.
  • Correct your data: request correction of inaccurate personal data.
  • Delete your data: request deletion of your account, API keys, connected accounts, cached data, and usage logs.
  • Disconnect Meta accounts: revoke Xylo's access to your Meta ad accounts at any time through your Meta Business Settings.
  • Data portability: request your data in a machine-readable format.

To exercise any of these rights, contact us at privacy@xyloapi.dev. We will respond to all requests within 30 days.

You may also delete your data by revoking Xylo's access in your Meta Business Integrations settings. When you revoke access, we will delete all stored tokens and cached data associated with your ad accounts.

9. Cookies

The Xylo website uses only essential cookies required for the OAuth authentication flow. We do not use advertising cookies, tracking cookies, or analytics cookies.

10. Children's Privacy

Xylo is a developer tool and is not directed at children under 13. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at privacy@xyloapi.dev.

11. International Data Transfers

Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international data transfers in compliance with applicable data protection laws.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. Your continued use of the Service after changes constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacy@xyloapi.dev