Privacy Policy
Last updated: July 7, 2026
1. Who we are
Last Best Digital LLC, doing business as CriterionIQ ("CriterionIQ," "we," "our," or "us"), is a cross-channel marketing intelligence, execution, and signal platform. This Privacy Policy explains how we collect, use, store, and share information when you visit criterioniq.com or use our platform (collectively, the "Service").
2. Information we collect
We collect information in the following ways:
- Account information. When you sign up or request an audit, we collect your name, work email address, company website, and any notes you choose to share.
- Connected platform data. With your explicit permission, we connect to your marketing accounts — including Meta (Facebook Pages, Instagram business accounts, and ad accounts), TikTok, and Google — via their official APIs to retrieve the data needed to provide the Service. From Meta this includes Facebook Page and Instagram content and insights (such as posts, media, engagement, reach, and impressions), ad account reporting, and the list of assets you authorize us to access. We request read access for reporting, and management access only where you enable a feature (such as audience or conversion activation) that requires it. This data is used only to provide the Service to you and only within the scope permitted by each platform's developer terms.
- Public ad library data. Some features use Meta's publicly accessible Ad Library to surface ad creative examples. This data is publicly available and not tied to your connected accounts.
- Tracking and signal data. If you use our Signal IQ or Conversion API Gateway features, we process conversion events, pixel data, and identity signals on your behalf as a data processor. Personal identifiers in these events are hashed before they are sent to any advertising platform. Because we run the gateway ourselves rather than routing your data through a third-party conversion API vendor, we generally act as your processor rather than a party that owns or resells this signal. See Section 6 for the full detail.
- Usage data. We automatically collect log data, browser type, IP address, pages visited, and feature interactions to operate and improve the Service.
- Cookies. We use essential cookies for authentication and session management, and optional analytics cookies to understand how the platform is used.
3. How we use your information
- To provide, operate, and improve the Service
- To generate performance briefs, audits, and intelligence reports on your behalf
- To send transactional emails (audit delivery, account notices)
- To respond to support requests
- To detect and prevent fraud, abuse, or security incidents
- To comply with legal obligations
We do not sell your data. We do not use your ad account data or any data obtained through third-party platform APIs to train AI models. Platform API data is used solely to provide the Service to you within the scope permitted by each platform's developer policies.
4. How we share your information
We share data only in the following circumstances:
- Service providers. We use third-party vendors (cloud infrastructure, database providers, email delivery) who process data solely on our behalf under contractual data protection obligations.
- AI processing. Some features use AI models to generate analysis and recommendations. Raw data obtained through third-party platform APIs (Meta, TikTok, Google, etc.) is never transmitted to external AI providers. AI models receive only internally computed aggregations and anonymized summaries derived from your data, and only to the extent necessary to provide the Service to you.
- Legal requirements. We may disclose information when required by law, court order, or to protect the rights and safety of CriterionIQ, our users, or the public.
- Business transfers. If CriterionIQ is acquired or merges with another entity, your data may transfer as part of that transaction, subject to equivalent privacy protections.
5. Third-party platform API data
When you connect a third-party advertising platform (Meta, TikTok, Google, etc.), we access your account data through that platform's official API under your authorization. Our use and transfer of information received from the Meta APIs — including data from Facebook and Instagram — adheres to the Meta Platform Terms and Developer Policies, including any limited-use requirements. We are committed to the following:
- Platform API data is used only for the specific purpose of providing the Service to you and only within the scope permitted by the applicable platform's developer policies.
- We do not sell, rent, or share platform API data with unauthorized third parties.
- We do not use platform API data to build, train, or improve AI or machine learning models.
- We do not use platform API data to build products or services that compete with those platforms.
- We do not combine platform API data with data from other sources in ways that violate the applicable platform's terms.
- You may revoke our access to your connected accounts at any time through the platform's own settings or by contacting us.
6. The Conversion API Gateway and Signal IQ
CriterionIQ operates its own first-party Conversion API (the "Conversion API Gateway"). Unlike platforms that route your conversion data through a third-party conversion API vendor, we run the gateway ourselves — your visitors' events flow from your own website to your own advertising destinations, with CriterionIQ generally acting as your data processor rather than a party that owns, resells, or independently monetizes your signal.
How it works
- First-party collection. Conversion events (such as page views, leads, and purchases) are collected on your own domain or a subdomain you control — not on a CriterionIQ tracking domain shared across customers.
- Server-side hashing. Before any personal identifier (email, phone number, name, address, or external ID) is sent to an advertising platform, we normalize and irreversibly hash it with SHA-256 on our servers. We do not transmit plaintext personal data to ad platforms.
- Match quality. To improve attribution accuracy, we process first-party signals such as advertising-platform cookies (for example
_fbp,_ttp,_gcl) and a durable first-party visitor identifier. Where these contain personal data, they are hashed before transmission. - Deduplication. Browser-side and server-side events are matched on a shared event ID so each conversion is counted once, not twice.
- You choose the destinations. Events are forwarded only to the advertising platforms you connect and authorize (for example Meta, Google, TikTok, LinkedIn, Pinterest, GA4). We do not add destinations of our own.
Because we run the gateway ourselves, we can keep data handling tightly scoped and aligned with industry-standard practices. As a general practice, with your conversion and identity data we aim not to:
- operate a data co-op or pool your conversion data with other customers' data;
- build, sell, or license an identity graph derived from your visitors' data;
- enrich your events with data purchased from third-party data brokers;
- sell or rent your conversion data; or
- use your conversion or identity data to train AI or machine-learning models.
We handle conversion and identity data in line with industry-standard practices: identifiers are hashed, data is retained only as long as reasonably needed to deliver and reconcile events, and you generally act as the data controller while we act as your processor — so you can disable the gateway or request deletion. For more detail on our data-handling practices, or a copy of our data processing terms, contact us at [email protected].
When evaluating any other conversion API provider, we encourage you to ask them these same questions.
7. Data retention
We retain account data for the duration of your active relationship with us, plus a reasonable period thereafter for legal and operational purposes. Ad platform data connected for audits is deleted or returned to read-only archive within 30 days of your request. You may request deletion at any time (see Section 9).
8. Security
We encrypt data in transit (TLS) and at rest. Production customer data runs on isolated tenants. We conduct regular reviews of our access controls and security practices. No system is perfectly secure — if you discover a vulnerability, please contact us at the address below.
9. Your rights and choices
Depending on where you are located, you may have the right to:
- Access a copy of the personal data we hold about you
- Correct inaccurate data
- Request deletion of your data
- Object to or restrict certain processing
- Data portability where technically feasible
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
For data obtained through a connected platform such as Meta (Facebook and Instagram), you can also revoke our access at any time by removing CriterionIQ from your Facebook or Instagram app settings. To have the associated data erased, follow our data deletion instructions.
10. Third-party links and integrations
The Service connects to third-party ad platforms (Meta, TikTok, Google, etc.). Once you leave our platform, those parties' privacy policies govern. We are not responsible for their data practices.
11. Children's privacy
The Service is intended for business users aged 18 and older. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, contact us and we will delete it promptly.
12. Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date above and, where appropriate, by email. Continued use of the Service after changes take effect constitutes acceptance.
13. Contact
Questions about this policy? Reach us at [email protected].