Google Search Console

Search Console is now live in LDOO. See what it unlocks

Security & data handling

Your data stays yours. Here is exactly how.

This page explains where your data is stored, how it is protected, who can access it, and what LDOO cannot do. No marketing language. Just the facts.

Start free — no credit cardWatch a demo
01

Where your data is stored

Everything LDOO stores lives in your own PostgreSQL database, managed by Supabase. Marketing data, conversations, reports, portals, alerts—all in one place, all under your account.

Marketing data
Stored in your own PostgreSQL database. Never copied to an external system. Synced from connected platforms via background jobs.
Conversations
Questions, answers, and metadata stored in your database. Scoped to your account. Not shared, aggregated, or used outside your account.
Reports and portals
Report content and portal layouts stored in your database. Generated PDFs stored in Supabase Storage, scoped to your account.
Query cache
Recent query results cached in Redis for 15 minutes to speed up repeat questions. Cache is automatically cleared when new data syncs.
Alerts
Anomaly and opportunity alerts stored in your database. Generated after each data sync. Scoped to the client and account that owns the data.

LDOO does not replicate your data to a separate data warehouse, analytics service, or third-party storage system. When you delete your account, your data is deleted. There is no secondary copy to clean up.

02

How your data is encrypted

Credentials are encrypted at rest. Data moves over encrypted connections. Passwords are hashed and not reversible.

OAuth tokens
Access and refresh tokens for all connected platforms (Google, Meta, LinkedIn, X, HubSpot, Shopify, Microsoft) encrypted at rest using AES-256.
Portal passwords
Hashed with bcrypt before storage. Never stored in plaintext. Not retrievable after creation—only resettable.
Data in transit
All communication between your browser, LDOO servers, Supabase, and third-party APIs uses TLS (HTTPS). No unencrypted connections.
Data at rest
Your PostgreSQL database is encrypted at rest by Supabase using AES-256. Backups are also encrypted.

AES-256 is the same encryption standard used by banks and government agencies. It is the industry baseline for data at rest. LDOO does not use weaker alternatives.

03

How clients are separated

If you manage multiple clients, each one is isolated from the others at the database level. This is not an application feature—it is a structural guarantee enforced by PostgreSQL.

Database-level enforcement
PostgreSQL Row-Level Security (RLS) filters every query by account_id and client_id. This runs inside the database engine—not in application code.
Cross-client boundary
A question about Client A cannot return data from Client B. Even in cross-client mode (comparing all clients), results are scoped to your account only.
Cross-account boundary
No data is shared between LDOO accounts. There is no benchmarking, aggregation, or cross-account analytics of any kind.
Defence in depth
Both the application layer and the database enforce client scoping independently. A bug in one cannot bypass the other.

Row-Level Security (RLS) runs inside the database engine. Every query—whether from the application, the AI pipeline, a background job, or an API call—is filtered before results are returned. This cannot be bypassed by application code.

04

What LDOO can access on each platform

LDOO connects to 11 supported sources across analytics, advertising, CRM, commerce, video, spreadsheets, and behavioral analytics. Every connection is read-only. LDOO cannot modify campaigns, budgets, bids, or account settings on any platform.

Google Analytics
Read-only access to properties, metrics, and dimensions via the GA4 Data API.
Google Ads
Read-only access to campaigns, ad groups, keywords, and performance metrics.
Meta Ads
Read-only access to campaigns, ad sets, ads, and performance data via the Marketing API.
Search Console
Read-only access to search queries, pages, clicks, impressions, and position data.
Shopify
Read-only access to orders, products, and revenue data.
YouTube Analytics
Read-only access to channel and video performance metrics.
LinkedIn Ads
Read-only access to campaigns, demographics, and B2B performance metrics.
X Ads
Read-only access to campaigns, engagement, spend, and conversion metrics.
HubSpot CRM
Read-only access to contacts, companies, deals, and pipeline performance data.
Microsoft Clarity
Read-only access to behavioral signals: rage clicks, dead clicks, scroll depth, session counts.
Google Sheets
Read-only access to spreadsheets you explicitly select. LDOO does not access other files in your Google account.

Each connection uses standard OAuth—the same authorization flow used by Google, Meta, and Shopify for all third-party apps. You authorize access explicitly, and you can revoke it at any time from your platform settings or from within LDOO.

05

What the AI sees and does not see

Here is exactly what Anthropic's Claude receives for each answer, what it never sees, and what happens to the payload after the request completes.

What the AI receives
The question you asked, the schema of your data (column names and types), and the query results for that specific question. Nothing else.
What the AI does not receive
Raw credentials, OAuth tokens, full database access, data from other clients, data from other accounts, or any personally identifiable information beyond what exists in your marketing data.
No model training
Your data is not used to train, fine-tune, or improve AI models. Anthropic’s policy: prompts and completions are not retained beyond the API request lifecycle.
Server-side only
All AI calls run server-side via Supabase Edge Functions. The API key is never exposed to the browser. No client-side code can invoke the AI.
Scoped per question
Each question gets its own isolated context. The AI cannot browse, search, or explore your database. It sees only the data the pipeline provides for that specific question.

Anthropic's data retention policy: API inputs and outputs are automatically deleted within 30 days. They are not used for training, fine-tuning, or any form of model improvement. This applies to all data LDOO sends.

06

Who can access what

LDOO has three types of users: account owners, team members, and external recipients (clients viewing a portal or report). Each has different access levels.

User authentication
Email/password and Google OAuth via Supabase Auth. Sessions are short-lived, validated server-side on every request, and use secure HTTP-only cookies.
Team permissions
Team members are invited by account owners. Conversations, reports, and client data respect member-level permissions. Activity is logged.
Client portal access
Portals are accessed via a unique share link. No LDOO account required. Optional password protection with bcrypt hashing and 5-attempt lockout. Configurable expiry dates.
Shared report links
Report links can be password-protected and set to expire. Recipients see only the report content. No access to the agency account or LDOO interface.
Revocation
Any portal or shared report link can be revoked instantly. Revocation takes effect immediately—no cache delay, no grace period.
Token refresh and expiry
OAuth tokens are refreshed automatically before they expire. If a refresh fails (access revoked by the platform), the connection is marked expired and you are prompted to reconnect.

Client-facing surfaces—portals and shared reports—are designed so recipients see only what you intend. No LDOO navigation, no other clients, no agency data. Clients do not need an LDOO account. Access is controlled by the link, optional passwords, and expiry settings.

07

Infrastructure and operations

LDOO runs on production-grade infrastructure with automated backups, error tracking, and rate limiting.

Hosting
Application hosted on Vercel. Edge-optimised globally. Automatic failover across regions.
Database
Supabase-managed PostgreSQL with automated backups, point-in-time recovery, and encrypted storage.
Edge Functions
AI queries and data operations run in isolated Supabase Edge Functions. Each request is sandboxed with no cross-request state sharing.
Background jobs
Background operations use redundant job queues with automatic retry on failure. All errors are logged and surfaced. No silent failures.
Error tracking
Runtime errors tracked via Sentry with source maps. No customer data is included in error reports.
Rate limiting
API endpoints and AI calls are rate-limited per account via Upstash Redis. Prevents abuse without affecting normal usage.
08

What LDOO will never do

Clear boundaries, stated plainly.

LDOO cannot modify your ad accounts, analytics properties, campaigns, budgets, or bids. All platform access is read-only.
LDOO does not send emails on your behalf unless you explicitly configure scheduled report delivery or portal creation notifications.
LDOO does not share data between accounts. There is no cross-account analytics, benchmarking, or data pooling.
LDOO does not use your data to train, fine-tune, or improve AI models for any purpose.
LDOO does not store marketing data or conversation history outside your database.
LDOO does not access platforms you have not explicitly connected. Each integration requires your manual authorization.
LDOO does not retain query results beyond the 15-minute cache window. Cache is cleared on every new data sync.

If you have questions about data handling, security, or compliance that are not covered here, get in touch. For details on how the AI pipeline works, see How it works.

Read-only access. Encrypted credentials. Your database.

Connect a source in 30 seconds. Your data never leaves your account.

Start free — no credit cardWatch a demo