1. Overview
Mavren engages a small number of third-party service providers ("sub-processors") to deliver the Mavren Audit. Each sub-processor is bound by confidentiality and data-processing terms, and processes data only on Mavren's instructions. We do not sell or share your data outside this list.
This page tracks the current sub-processors used in production. Material changes will be reflected here with an updated "Last updated" date. For questions, email privacy@mavren.ai.
2. Current Sub-processors
| Provider | Purpose | Data Processed | Hosting Region |
|---|---|---|---|
| Railway Application hosting + Postgres database | Production application runtime, database, encrypted token storage. | Encrypted OAuth tokens, ad performance data, campaign metadata, creative assets, audit reports. | United States |
| OpenAI GPT-4o vision & Whisper | Visual and audio analysis of ad creatives (image composition, audio transcription) for the creative psychology layer of the audit. | Creative images and videos retrieved from connected ad accounts. No OAuth tokens, no PII. | United States |
| Anthropic Claude (Haiku, Opus) | Reasoning and natural-language generation for the audit narrative; sentiment scoring on public web content (news, Reddit) for brand-perception analysis. | Aggregated performance metrics and public web text. No ad platform OAuth tokens, no PII. | United States |
| Google Gemini (Flash Image) | Image generation and reference-based image editing for the Mavren Creative Regenerator, which produces alternative creative variants from a brand's existing ad imagery. | Ad creative images retrieved from connected ad accounts. No OAuth tokens, no PII. | United States |
| Vercel Static site hosting | Hosts the public mavren.ai marketing website (this page, privacy policy, terms, data deletion). | Public website content only. No customer data, no ad platform data. | Global edge network |
3. Data Flow Summary
When you connect Meta Ads or Google Ads to Mavren:
- Mavren's application (hosted on Railway) exchanges your OAuth grant for a long-lived access token, encrypts it with Fernet (AES-128 in CBC mode with HMAC-SHA256 authentication), and stores it in the Railway-managed Postgres database.
- Performance metrics, campaign metadata, and creative URLs are fetched from the platform's API and stored in the same database.
- Creative images and videos are downloaded to the application file system and sent to OpenAI for visual and audio analysis. Raw creatives are purged after each audit run.
- Aggregated performance metrics and audit findings are sent to Anthropic to generate the audit narrative. Raw ad platform data is not sent.
- Public web content (news headlines, Reddit posts) used for brand-perception analysis is independently sent to Anthropic for sentiment scoring. This contains no ad platform data.
- When the Creative Regenerator is run on an audited ad, the ad's creative image is sent to Google (Gemini) as a reference to generate alternative creative variants. No OAuth tokens, no performance metrics, and no PII are transmitted.
4. Adding or Changing Sub-processors
Material changes to this list are published here before they take effect in production. If you have a contract with Mavren that entitles you to advance notice of sub-processor changes, that contractual notice period applies in addition to publication on this page.
5. Contact
Email: privacy@mavren.ai
Address: Mavren Technologies Ltd, London, United Kingdom