Security Policy
How we protect your data, our infrastructure practices, access controls, and data handling commitments.
Contents
At NeoLook.ai, security is built into how we design, build, and run the platform from the ground up. As a platform that connects to your advertising accounts, CRM data, and customer communications, we understand the responsibility that comes with that access. This page explains how we protect your data, how long we keep it, who we share it with, and what your rights are. It should be read alongside our Privacy Policy and Terms of Service.
Our Security Principles
Infrastructure and Hosting
NeoLook.ai is hosted exclusively on Yotta India's carrier-grade data centre infrastructure. Yotta operates facilities with physical security controls, power redundancy, environmental monitoring, and access management built to enterprise standards. All traffic to and from the platform passes through a combination of load balancers and enterprise-grade firewalls that filter malicious requests, block unauthorised access attempts, and protect against network-layer attacks including DDoS.
2.1 Encryption in Transit
All data moving between your systems and NeoLook.ai is encrypted using TLS 1.2 or higher. We do not permit plain-text transmission of customer data at any point in our infrastructure.
2.2 Encryption at Rest
Encryption of data stored at rest is available upon request. If you have a contractual or regulatory requirement for this, contact us at [email protected] and we will discuss enablement and applicable terms.
2.3 Access Controls
Access to our production systems follows the principle of least privilege — every team member is granted only the access their specific role requires. All production access is logged and reviewed regularly. Multi-factor authentication is mandatory for anyone accessing production infrastructure, and access is revoked promptly when someone's role changes or their engagement ends.
2.4 Data Isolation
Each customer's data is stored and processed in a way that keeps it logically separate from the data of other customers. We do not use one customer's data to influence another customer's campaigns or recommendations. Data from Google or Meta API connections is isolated per account and is never commingled across customers.
Certifications and Compliance
3.1 Current Status
NeoLook.ai operates under the security governance framework of Mtalkz Mobility Services Private Limited. Our platform is hosted in Yotta India's carrier-grade data centre and protected by enterprise-grade network security controls. We comply with the Digital Personal Data Protection Act 2023 (India) as data fiduciary and data processor as applicable.
3.2 In Progress
We are working toward formal third-party security audits for NeoLook.ai as a standalone platform. Customers who require specific compliance documentation are welcome to contact us at [email protected].
Personnel Security
4.1 Background Verification
All employees and contractors undergo background verification before system access is granted.
4.2 Confidentiality Obligations
Every employee, contractor, and partner with access to sensitive information is required to sign a Non-Disclosure Agreement before access is granted. These obligations continue after the engagement ends.
4.3 Security Awareness Training
All new team members complete security onboarding before being granted system access. Ongoing training covers current attack techniques, phishing simulation, and secure handling of credentials and customer data. Security incidents and learnings are shared internally to maintain awareness across the team.
Secure Development
Security requirements are built into our development process from the design stage — not applied as a final step.
5.1 Development Lifecycle
All new features and significant changes undergo a design review that explicitly considers security before development begins. Our development practices follow OWASP Top 10 recommendations for web application security. Dependencies and open-source libraries are regularly reviewed and updated to address known vulnerabilities.
5.2 Testing Before Deployment
All new systems and services are reviewed for security before going into production. Static and dynamic application security testing is applied to all code including third-party libraries. We conduct internal and external penetration testing on new systems and major changes to existing functionality.
Platform Credential Linking and Token Exchange
6.1 How Credential Linking Works
NeoLook.ai connects to third-party platforms — including Meta Ads, Google Ads, Claude, ChatGPT, Gemini, and others — through a credential linking process that you complete during platform setup. This involves authenticating directly with the relevant third-party platform and authorising NeoLook.ai to access it on your behalf. NeoLook.ai does not request, collect, or store raw platform passwords. Access is established through standard OAuth flows or API key authorisation.
6.2 Consent via Linking
The act of linking a third-party platform account to NeoLook.ai during setup constitutes your explicit consent to:
- Authorise NeoLook.ai to access the linked platform using the credentials and permissions established at the time of linking
- Authorise token exchange between NeoLook.ai and the linked platform for retrieving data and submitting campaign instructions
- Acknowledge that the scope of access is defined by the permissions you approve at the point of linking
You may revoke access to any linked platform at any time through NeoLook.ai's settings or directly through the third-party platform's own access management interface.
6.3 Token Storage
Access tokens are stored in encrypted form within NeoLook.ai's infrastructure. Tokens are used solely for purposes authorised by you and are not shared with any party other than the platform they were issued by. Tokens are invalidated and deleted upon account termination or when you unlink the relevant platform.
Data Retention and Processing
NeoLook.ai stores and processes campaign data, audience data, and CRM records on your behalf to deliver the platform's intelligence and automation features. The provisions below are consistent with and should be read alongside the retention provisions in our Privacy Policy and the Data Processing Agreement in our Terms of Service.
7.1 Standard Retention Period
Customer data — including campaign data, audience data, CRM records, and platform-generated insights — is retained for 12 months from the date of collection or last update, whichever is later. After this period, data is deleted from active storage.
7.2 Deletion Requests
You may request deletion of your data at any time by contacting [email protected]. Upon receiving a valid request, NeoLook.ai will confirm receipt in writing within 5 business days, delete the data from all active systems, and confirm this deletion to you. A copy of the relevant data will be transferred to secure deep storage held solely for audit, legal, and regulatory purposes. Deep storage data is retained for up to 7 years and is not accessible for any operational use.
7.3 What We Retain Beyond the Standard Period
Access tokens and API credentials you have authorised are stored in encrypted form for the duration of your active subscription. Account-level metadata such as custom field names and account identifiers are retained for the duration of your subscription and for 90 days following account closure.
7.4 Customer Data Portability
All insights collected by NeoLook.ai on your behalf — including campaign performance data, audience analysis, ROAS reports, and AI-generated recommendations — can be pushed into your own systems upon request. We support data export via API or structured file transfer. Contact [email protected] to arrange this.
7.5 Data Use Limitation
NeoLook.ai may use customer data in aggregated and anonymised form to improve platform performance, refine AI models, and enhance the quality of recommendations for all users. In all such cases, individual customer data is not identifiable and cannot be attributed to any specific customer or campaign. Customer data is never used for any purpose beyond service delivery and platform improvement in this anonymised form. Raw customer data — and specifically all data received from Google and Meta APIs — is never used to develop, improve, or train any generalised or non-personalised AI or machine learning model.
Third-Party Sub-Processors
NeoLook.ai works with a defined set of third-party sub-processors to deliver the platform. Each sub-processor receives only the data necessary for its specific function. A full and current list of sub-processors is maintained at NeoLook.ai/sub-processors.
Sub-processors are contractually required to handle data in accordance with applicable data protection law and, where applicable, in accordance with Meta's Developer Data Use Policy and Google's API Services User Data Policy. Each sub-processor is required to delete data they received from NeoLook.ai when we cease using their service. Each sub-processor's own security and privacy policy applies individually to their scope of data processing.
When data is transferred to any sub-processor in the course of delivering the service, that transfer is governed by the relevant sub-processor's data processing terms and occurs only to the extent necessary for service delivery.
Google and Meta Data Handling
This section supplements the platform-specific provisions in our Privacy Policy (Sections 3 and 4) with additional detail on how data from Google and Meta APIs is handled at an infrastructure level.
9.1 Google API Data
Data received from Google APIs — including Google Ads account data — is stored in logically isolated, encrypted storage associated with your account. It is accessed only by the platform systems required to deliver your requested features and by authorised personnel in the limited circumstances described in our Privacy Policy. Google API data is never used to develop, improve, or train any generalised or non-personalised AI or machine learning model, consistent with the Google API Services User Data Policy Limited Use requirements. Upon disconnection of your Google account, Google API-sourced data is deleted without undue delay.
9.2 Meta API Data
Data received from Meta APIs — including advertising account data, campaign data, audience data, Pixel event data, and creative assets — is stored in logically isolated, encrypted storage associated with your account. It is accessed only by the platform systems required to deliver your requested features and by authorised personnel in the limited circumstances described in our Privacy Policy. Meta API data is never used to develop, improve, or train any generalised or non-personalised AI or machine learning model. Meta account data is not used for NeoLook.ai's own advertising purposes. Upon disconnection of your Meta account, Meta API-sourced data is deleted without undue delay, consistent with Meta's Developer Data Use Policy. Sub-processors handling Meta API data are contractually required to delete such data when NeoLook.ai ceases using their service.
9.3 No Cross-Customer Data Use
Data from your Google or Meta accounts is never used in connection with any other customer's account, campaigns, audience scoring, or recommendations. Each customer's platform data is logically isolated at all times.
Your Rights and Contact
You retain full ownership of your data at all times. NeoLook.ai processes your data solely to deliver the service you have subscribed to and, in aggregated anonymised form, to improve the platform for all users.
Full details of your rights — including rights under the DPDP Act 2023 and GDPR — are set out in our Privacy Policy (Section 9). To exercise any of these rights, or for security and compliance queries, please contact us:
NeoLook.ai is a product of Mtalkz Mobility Services Private Limited, registered in India. This policy is reviewed and updated at least annually or whenever material changes are made to our security practices.