1. What we do with your data
When you connect Pace to your advertising platforms, we pull the campaign data we need to do the job: campaign and ad-group structure, daily spend, performance metrics, budget settings, and the OAuth tokens that authorise us to read and adjust those things on your behalf.
That data is used for two purposes only. First, to show you what is happening across your accounts in the Pace dashboard. Second, to make the daily budget adjustments and surface the insights that are the whole point of Pace.
We do not sell your data. We do not share it with third parties beyond the sub-processors listed below. We do not use it to build any product that is not Pace itself.
2. We do not train models on your client ad data
This is the question I get asked the most, so I want to be specific. Pace uses AI in two places: Pace Intelligence (also called Dot) for conversational account analysis, and AI Sparks for anomaly detection. Both run on Google's Gemini models.
Your data is sent to those models at inference time only — Gemini receives a question plus the relevant account context, returns an answer, and the data is not retained for model training. We do not fine-tune a custom model on aggregate client data, and we do not contribute your data to Google for theirs. The AI is a tool you point at your data when you ask a question, not a system that learns from you in the background.
3. Encryption
Pace runs entirely on Google Cloud (Firebase, multi-region nam5 — North America). That gives us two encryption guarantees by default, not by configuration:
- At rest: AES-256 encryption on all stored data, automatic across Firestore, Cloud Storage, and any other Firebase service we use. Google documents this at cloud.google.com/security/encryption-at-rest.
- In transit: TLS 1.2 or higher on every connection. Firebase only accepts HTTPS, full stop. Documented at firebase.google.com/support/privacy.
These are inherited from Google Cloud's infrastructure, so the failure modes and certifications that apply to GCP apply to the data inside Pace.
4. Access controls
Sign-in is Google OAuth only. There is no email-and-password login to Pace, which means there is no password database to breach. If your Google Workspace enforces two-factor authentication, Pace inherits it.
Inside Pace, role-based access controls limit who on your team can see what. The internal Pace team operates on a least-privilege model — access to production data is restricted to the people who need it to operate the system, and every access is logged.
Every change Pace makes to your campaigns is written to a full audit log you can read inside the app. This applies to both Pace's automated changes and any manual changes a teammate makes through the dashboard. The audit log is the same one used internally; we do not maintain a separate "customer-facing" version with anything redacted.
5. Data lifecycle
While you are an active customer, we hold your data as long as it is useful for running Pace. Historical performance data is retained so that the pacing engine can model trends, and the change log is retained so you can review your audit history.
When you cancel, your account data is deleted. OAuth tokens are revoked, which immediately stops Pace from accessing your advertising platforms. We retain a minimum of billing and account records as required by tax and accounting law, and anything else is removed.
6. Sub-processors
Pace itself is built by the Pace team. The infrastructure and tools we rely on:
- Google Cloud / Firebase — hosting, database, authentication, storage
- Google Gemini API — the AI inference layer for Pace Intelligence and AI Sparks (no data retention for training)
- Google Ads API, Meta Marketing API, TikTok Marketing API, LinkedIn Marketing API, Microsoft Advertising API — the platforms Pace manages on your behalf
- Stripe — payment processing (we do not store card numbers; Stripe handles PCI compliance)
- Standard operational tools — analytics, monitoring, customer support and email delivery, all running on first-party infrastructure or industry-standard SaaS
If you need a current, comprehensive sub-processor list for a procurement review, email security@paceads.com and we will send it within one business day.
7. Compliance posture
I want to be honest about where Pace sits as an early-stage product. We do not currently hold our own SOC 2 or ISO 27001 certifications. We are a small team and those audits take time and money that we are prioritising against shipping the product.
What we do have, and what most procurement teams will accept as compensating context:
- The Google Cloud infrastructure Pace runs on is itself SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI DSS, and HIPAA certified. Anything Pace stores benefits from those controls at the infrastructure layer.
- We are happy to sign a Data Processing Agreement (DPA) on request, and to operate under standard MSAs with mutual confidentiality terms.
- We can complete vendor security questionnaires (SIG Lite is the common format). Allow us a few business days for a thorough response.
- For enterprise prospects, I will personally hop on a 30-minute security call to walk through how Pace is architected and answer specific questions.
We are planning a SOC 2 Type I audit in 2026 once we have the customer mix that warrants it. When that lands, this page will be updated.
8. Enterprise & procurement
If your organisation needs more than what is on this page — a custom DPA, an inline security questionnaire response, a call to walk through the architecture, or a contract with negotiated confidentiality terms — that is normal. Email security@paceads.com with what you need and we will turn it around quickly. Founder-led, no support queue.
Contact security
For any security question, concern, or vulnerability disclosure: security@paceads.com.
For privacy-policy specifics (what is collected, your rights, the legal text), see the Privacy Policy. For terms governing the use of Pace, see the Terms of Use.