The short version
Your video files are deleted the moment analysis finishes. We never store your raw creative. The analysis result (scores, transcripts, acoustic data) stays in your account until you delete it. No one at AdZhi can see your clients' ads without your credentials. Your data is never used to train our models without explicit opt-in.
What happens to your video files
When you upload a video or submit a YouTube URL, this is the exact sequence:
- File is uploaded to our analysis server over HTTPS (encrypted in transit)
- Stored temporarily in
/tmp— an ephemeral filesystem that never touches permanent storage - Whisper transcription runs locally on our server — your audio never leaves our infrastructure
- Acoustic analysis (pitch, energy, HNR) runs locally — no audio sent to any third party
- Only the transcript text is sent to Anthropic (Claude) for linguistic analysis — never the audio or video
- File is deleted immediately after analysis completes — success or failure
- Raw video is never written to our database
What we store
After analysis, we store the derived output in your account:
- Transcript — the spoken words from your ad
- Acoustic metrics — numerical scores (pitch, energy, WPM, etc.)
- Analysis results — scores, misalignments, recommendations
- Filename — so you can identify which ad the result belongs to
We do not store: the video file, the audio file, or any metadata from your ad account.
Who can see your data
- Only you (and team members you invite) can see your analyses
- AdZhi staff cannot view your analysis results without your credentials — there is no admin backdoor into user data
- Share links you create expose only that specific report, to anyone with the link — you control this
- Your data is never shared with other AdZhi customers or used in aggregate benchmarks without anonymisation
Authentication and access control
- Passwords are hashed with bcrypt — we never store plaintext passwords and cannot recover them
- Sessions use signed JWT tokens that expire after 60 minutes
- All API requests require authentication — no unauthenticated data access
- Every database query is scoped to your user ID — no cross-account data access is possible by design
- Password reset uses single-use time-limited tokens sent to your verified email
Encryption
- In transit: All connections use TLS 1.2+ (HTTPS). HTTP is not served.
- At rest: Database hosted on Render/Railway managed Postgres — encryption at rest enabled at the infrastructure level
- Passwords: bcrypt with cost factor 12 — not reversible
What goes to Anthropic (Claude)
Our analysis uses Claude (Anthropic) for linguistic intelligence — hook scoring, act structure, persuasion analysis. When we call the Claude API, we send:
- The transcript text from your ad
- Acoustic signal summaries (numbers, not audio)
- No filenames, no user IDs, no account information
Anthropic's API does not use submitted prompts to train their models. See Anthropic's privacy policy.
Subprocessors
The following third parties process data as part of the AdZhi service:
| Processor | Purpose | Data processed | Location |
|---|---|---|---|
| Render / Railway | Infrastructure hosting | All application data, video files (temporary), database | US / EU |
| Anthropic | Linguistic analysis (Claude API) | Ad transcript text only — no audio, no video, no PII | US |
| Stripe | Payment processing | Billing information, card details (Stripe-direct, never touches AdZhi servers) | US / EU |
| Resend | Transactional email | Email address, email content | US |
| Plausible Analytics | Website analytics | Cookieless page view counts — no personal data | EU |
| AssemblyAI (optional) | Fallback transcription for complex audio | Audio file — only used when Whisper confidence is low | US |
Your rights
- Export your data at any time — email privacy@adzhi.co.uk
- Delete your account and all associated data — request via account settings or email
- Correct any inaccurate personal information
- Opt out of marketing emails — one-click unsubscribe in every marketing email
- Request a Data Processing Agreement (DPA) for GDPR compliance — email us
ML model training (opt-in)
AdZhi improves its models using acoustic feature data from analyses. This is strictly opt-in — off by default for all accounts. You enable it in Account → Data & Privacy.
When opted in, the following is logged after each analysis:
- Numeric acoustic features: pitch range, energy values, WPM, disfluency count, silence ratio — numbers only, not audio
- Scores: AdZhi Score, hook score, CTA energy, voice quality, structure score
- Context signals: inferred industry, platform, objective (not your ad account data)
- Your job ID (internal reference) and user ID
What is never included in training data, even when opted in:
- Your video or audio file
- Your transcript or any spoken words
- Your ad account data, spend, or performance metrics
- Any personally identifying information
- Your company name or brand name
You can opt out at any time from Account → Data & Privacy. Previously contributed feature vectors are retained in anonymised form — they cannot be linked back to your account. To request deletion of all contributed data, email privacy@adzhi.co.uk.
Why opt in? Your data helps AdZhi predict performance more accurately for everyone. The Phase 2 XGBoost models that convert heuristic predictions into validated ones require labelled training data from real ads. Users who opt in are directly improving the product for themselves and other performance marketers.
Reporting a vulnerability
If you discover a security vulnerability in AdZhi, please report it responsibly to security@adzhi.co.uk. We will acknowledge within 48 hours and aim to resolve critical issues within 7 days. Please do not publicly disclose vulnerabilities before we have had a chance to address them.
What we don't have yet (and why)
We're honest about where we are:
- SOC 2 Type II: This requires a year-long audit process and ~£15k in fees. We're working toward it as we grow. Enterprise customers who require it can contact us to discuss timelines.
- ISO 27001: Similarly, an enterprise compliance requirement we're working toward.
- Penetration test: Planned for Q3 2026 with a third-party firm.
For SMB and agency customers, the security controls above are appropriate for the data involved (ad creative and acoustic analysis). We don't process payment card data, health data, or sensitive personal information.
Privacy contact: privacy@adzhi.co.uk
DPA requests: Email privacy@adzhi.co.uk with subject "DPA Request"
Data deletion: Email privacy@adzhi.co.uk with subject "Delete My Data"