Last updated: May 2026
Privacy Policy
How Munero handles your data.
Munero is operated by Alpharoot Marketing LLC FZE (United Arab Emirates), the data controller for purposes of this policy. This page explains what we collect, why, where it lives, and the rights you have over it.
Effective: 2026-05-02 · Contact: privacy@munero.ai
Contents
- Who we are
- What data we collect
- What we do with it
- Where it lives
- How long we keep it
- Your rights (UAE PDPL & GDPR)
- International transfers
- Third parties
- Cookies
- Children's data
- Changes to this policy
- Contact
Who we are
Munero is an AI-powered creative intelligence and advertising strategy platform operated by Alpharoot Marketing LLC FZE, a Free Zone limited liability company registered in the United Arab Emirates (the Operator). References to “we”, “us”, or “Munero” in this policy are references to the Operator. Our registered address is Al Rostamani Building, 47 16th Street, Al Hamriya, Dubai, United Arab Emirates.
We are the data controller for the personal data described in this policy, except where you connect a third-party advertising or analytics account to Munero. In that case the relevant platform is the controller of the underlying account data and Munero acts as a processor for the metrics we read on your behalf.
What data we collect
We collect the minimum needed to deliver Munero:
- Account information — your name, email, company, role, and the credentials you use to authenticate. Authentication is handled by Supabase Auth; we never see your password.
- Brief inputs — the briefs you submit to Munero (industry, audience, budget, creative goals, etc.) and any files you upload.
- OAuth tokens — when you connect Google Analytics, Search Console, Meta, Google Ads, TikTok, or LinkedIn, we receive access and refresh tokens. Tokens are stored encrypted in Supabase Vault and are read-only by design (see our Terms).
- Ad performance metrics — campaign, ad set, and ad metrics (spend, impressions, clicks, conversions, revenue) pulled from connected accounts or uploaded via CSV. We do not pull personally identifiable end-user data from your ad accounts.
- Campaign metadata — campaign and ad names, creative IDs, and the recommendation IDs you paste into them so we can match performance back to a Munero recommendation.
- Operational logs — server logs, sync run logs, and API call logs needed to run the service, debug, and meet our read-only audit obligations.
What we do with it
- Generate insights — we synthesise briefs, hooks, offers, audiences, and creative recommendations from your inputs and public market data.
- Match outcomes — once a campaign you launched goes live, we match its performance back to the original Munero recommendation so you see what worked.
- Train our recommendation engine — we use aggregated and de-identified outcome patterns to improve future briefs across our customer base. We never share raw account data, and identifiable outputs are scoped to the customer that produced them.
- Operate the service — auth, billing, security, incident response, and customer support.
We do not sell your data. We do not share your data with advertisers or third parties for their marketing. We do not use your data to train third-party large language models for purposes unrelated to running Munero.
Where it lives
Munero is hosted on the following infrastructure. Data is encrypted in transit (TLS) and at rest, and is isolated per customer using row-level security keyed to your account.
| Data | Provider | Region |
|---|---|---|
| Account, briefs, metrics, recommendation IDs | Supabase | United States (us-east) |
| OAuth tokens | Supabase Vault | United States (us-east) |
| Customer dashboard | Vercel | Global edge |
| Sync workers and orchestration | Railway | United States |
Because our operating entity (Alpharoot Marketing LLC FZE) is in the UAE and our primary storage is in the United States, your data may transit between the UAE and the US in the course of normal operation.
How long we keep it
- Active accounts — we retain account, brief, and performance data for as long as your account is active.
- Disconnect a platform — when you disconnect a platform, we delete the OAuth tokens immediately and the associated raw responses and metrics within 30 days.
- Delete your account — when you delete your account, we delete account, briefs, recommendations, integrations, and performance data within 30 days. Operational logs and the deletion-audit record are retained for 90 days for security and compliance, then deleted.
Your rights (UAE PDPL & GDPR)
We honour the rights granted to you under the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and, where it applies to you, the EU General Data Protection Regulation:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Deletion — ask us to delete your data. The fastest path is in-app: app.munero.ai → Settings → Delete Account. You can also follow the steps on /data-deletion.
- Portability — export your briefs and matched performance data in machine-readable form.
- Withdraw consent — disconnect any connected platform at any time without affecting the rest of your account.
- Restrict or object — ask us to restrict or stop specific processing.
- Lodge a complaint — EU users may complain to their national supervisory authority. UAE users may contact the UAE Data Office.
To exercise any of these rights, email privacy@munero.ai from the address registered on your account, or use the in-app self-service flow. We respond within 30 days.
International transfers
Munero processes data in the United Arab Emirates (the operating entity) and the United States (Supabase, Vercel, Railway). Where you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (or equivalent UK and Swiss addenda) as the lawful basis for transferring your data to the United States. Where required, we additionally rely on supplementary technical measures (encryption in transit and at rest, RLS isolation, vaulted credentials).
Third parties
We use a small set of sub-processors. Each is bound by a data processing agreement and is used only for the purpose listed.
| Sub-processor | Purpose | Country |
|---|---|---|
| Supabase | Database, auth, vault, storage | United States |
| Vercel | Customer dashboard hosting | United States |
| Railway | Sync workers and orchestration | United States |
| Anthropic | LLM inference for brief generation | United States |
| Apify | Public ad-library and market scraping | Czechia / EU |
| SerpAPI | Search-engine market signal | United States |
| Tavily | Web research for briefs | United States |
| Resend | Transactional email (signups, deletions) | United States |
Cookies
Our marketing site (munero.ai) uses minimal first-party session cookies required for the site to function. We do not use third-party advertising cookies, and we do not load tracking pixels on our marketing site. The customer dashboard (app.munero.ai) uses session cookies issued by Supabase Auth to keep you signed in.
Children's data
Munero is a B2B product and is not intended for users under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided personal data to Munero, email privacy@munero.ai and we will delete the account.
Changes to this policy
We will notify registered users of material changes to this policy by email at least 30 days before the changes take effect. Non-material changes (typo fixes, clarifications) take effect on publication; the effective date at the top of the page tracks the latest version.
Contact
Privacy questions, requests, or complaints: privacy@munero.ai.
Postal: Alpharoot Marketing LLC FZE, Al Rostamani Building, 47 16th Street, Al Hamriya, Dubai, United Arab Emirates.