AdWhiz is an AI-powered advertising platform that audits, manages, and optimizes both Google Ads and Meta (Facebook) Ads accounts. It offers free mini-audits, $99 full audit reports, an AI dashboard with daily health scores and one-click recommendations, and 47 MCP tools for managing campaigns from Claude Code, Cursor, Windsurf, and any MCP-compatible AI tool.

Does AdWhiz support Meta (Facebook) Ads?

Yes. AdWhiz supports both Google Ads and Meta (Facebook/Instagram) Ads. You can connect both platforms from a single dashboard, view health scores for each, get platform-specific AI recommendations, and switch between them with one click. Meta Ads audits analyze wasted ad set spend, creative fatigue, CPA efficiency, and budget utilization.

How much does an AdWhiz audit cost?

AdWhiz offers 5 free mini-audits that each cover key performance metrics for your Google Ads or Meta Ads account. The full audit report is $99 one-time. Subscription plans with the AI dashboard, recommendations, and MCP API access start at $79/month (Pro), $249/month (Business), or $799/month (Enterprise).

What is the AdWhiz AI dashboard?

The AdWhiz AI dashboard at adwhiz.ai/app provides a daily health score for your ad accounts, AI-generated recommendations you can apply with one click, a spend trend chart, natural language queries (ask questions about your ad data in plain English), and a campaign creation wizard. It supports both Google Ads and Meta Ads with Chinese (zh-CN) localization.

What is AdWhiz MCP API?

AdWhiz MCP API provides 47 Google Ads management tools via the Model Context Protocol (MCP). It works with any MCP-compatible AI tool including Claude Code, Cursor, Windsurf, Continue.dev, Cline, and Zed. You can create campaigns, manage keywords, optimize budgets, and run audits using natural language. Authentication is available via OAuth (browser sign-in, no API key needed) or API key.

Which AI tools work with AdWhiz?

AdWhiz works with any MCP-compatible AI tool. Currently supported tools include Claude Code, Cursor, Windsurf, OpenClaw, Continue.dev, Cline, and Zed. As the MCP ecosystem grows, new tools automatically gain compatibility with zero code changes required.

Can I manage multiple ad accounts with AdWhiz?

Yes. On the Business plan ($249/mo) and above, you can link up to 5 Google Ads and Meta Ads accounts, organize them into groups, view a cross-account overview, and run bulk audits. Enterprise ($799/mo) supports unlimited accounts.

Is my ad account data secure with AdWhiz?

Yes. AdWhiz uses OAuth2 to connect your ad accounts and encrypts all stored credentials with AES-256-GCM. Access is read-only by default. Mutate operations require explicit confirmation. MCP OAuth tokens are stored as SHA-256 hashes. You can revoke access at any time from your account settings.

Security & Data Protection

Your ad accounts are safe with us

How AdWhiz protects your advertising accounts, credentials, and data. OAuth scopes, encryption, data retention, and compliance details.

Our Security Principles#

AdWhiz is built by advertisers, for advertisers. We understand that connecting your Google Ads or Meta Ads account to a third-party tool requires trust. This page explains exactly what data we access, how we store it, and what safeguards are in place.

Minimal Permissions

We only request the OAuth scopes strictly needed to read and manage your ad campaigns. No access to email, files, or personal data.

Encrypted at Rest

All credentials (refresh tokens, access tokens) are encrypted with AES-256-GCM before storage. Encryption keys are managed via environment variables, never stored alongside data.

No Data Retention

AdWhiz does not store your raw ad performance data long-term. Audit snapshots are computed on the fly and only aggregated scores are persisted.

You Stay in Control

You can disconnect your ad accounts or delete your AdWhiz account at any time. Revoking access instantly invalidates all stored tokens.

OAuth Scopes & Permissions#

When you connect an ad platform, AdWhiz requests the minimum set of OAuth scopes required. Here is exactly what each connection grants:

Google Ads#

AdWhiz uses the Google Ads API (v23) with the google-ads scope. This allows reading campaign data and making changes you explicitly request (e.g., pausing a keyword, updating a budget). We do not request access to Gmail, Google Drive, Calendar, or any other Google service.

Scope	What It Allows	What It Does NOT Allow
`https://www.googleapis.com/auth/adwords`	Read and manage Google Ads campaigns, ad groups, keywords, budgets, and conversion tracking	Cannot access Gmail, Drive, YouTube, Calendar, or any non-Ads data

Meta (Facebook) Ads#

For Meta Ads, we request four scopes via the Meta Graph API (v22.0):

Scope	Purpose
`ads_read`	Read campaign performance data and metrics
`ads_management`	Make changes you explicitly request (pause ads, update budgets)
`pages_show_list`	List your connected Facebook Pages for attribution
`pages_read_engagement`	Read page engagement metrics tied to ad performance

ℹ️

No Posting Permissions

AdWhiz cannot create posts, send messages, or modify content on your Facebook Pages or Instagram accounts. We only read advertising and engagement data.

MCP API Security#

If you use AdWhiz through the MCP (Model Context Protocol) API — for example, via Claude Code, Claude Desktop, or a custom AI agent — additional security layers apply:

**OAuth 2.0 with PKCE** — All MCP connections use the Authorization Code flow with Proof Key for Code Exchange, preventing token interception attacks.
**Dynamic Client Registration (RFC 7591)** — Each MCP client registers dynamically and receives unique credentials. No shared secrets.
**Short-Lived Access Tokens** — Access tokens expire after 1 hour. Refresh tokens last 30 days and can be revoked at any time.
**Consent Screen** — Every MCP client must go through a consent UI where you explicitly approve the scopes before any access is granted.
**Token Hashing** — All tokens are stored as SHA-256 hashes. Even if our database were compromised, raw tokens cannot be recovered.
**Automatic Cleanup** — Expired tokens, sessions, and auth codes are purged hourly by an automated database function.

💡

Revoking MCP Access

You can revoke all MCP tokens from your Dashboard > Settings page. This immediately invalidates all connected AI agents and MCP clients.

How Credentials Are Stored#

Your Google and Meta refresh tokens are the most sensitive data we handle. Here is how we protect them:

Encryption at rest

Refresh tokens are encrypted using AES-256-GCM before being written to the database. Each token uses a unique initialization vector (IV).

Key separation

Encryption keys are stored in environment variables on our hosting provider (Vercel), separate from the database (Supabase). Compromising one system alone does not expose tokens.

No plaintext logging

Tokens are never written to application logs, error reports, or analytics systems. We use redaction middleware to strip sensitive fields from all log outputs.

Decryption only at use time

Tokens are decrypted only when an API call to Google or Meta is being made, and the plaintext token exists only in memory for the duration of that request.

What Data We Store#

Data	Stored?	Retention
Encrypted Google/Meta refresh tokens	Yes	Until you disconnect or delete your account
Health scores (aggregated numbers)	Yes	Rolling 90-day history
AI recommendations (text)	Yes	Until applied, dismissed, or expired (30 days)
Audit results (aggregated metrics)	Yes	Until you delete your account
Raw campaign data (clicks, spend, keywords)	No	Fetched from Google/Meta API on each request, not persisted
Search terms reports	No	Processed in memory for negative keyword suggestions, not stored
Ad creative text or images	No	Never stored by AdWhiz
Your personal Google/Meta data (email, photos, contacts)	No	Never accessed or stored

Infrastructure & Hosting#

**Frontend & API** — Hosted on Vercel (US regions), with automatic TLS/SSL encryption for all traffic.
**Database** — Supabase (PostgreSQL) with Row Level Security (RLS) policies ensuring users can only access their own data.
**Audit Microservice** — Google Cloud Run (us-central1) for compute-intensive audit processing, with automatic scaling and no persistent storage.
**MCP Server** — Google Cloud Run with OAuth 2.0 authentication at the gateway level.
**All traffic encrypted** — Every connection between services uses HTTPS/TLS. No unencrypted internal traffic.

Account Deletion & Data Removal#

You can delete your AdWhiz account at any time from Dashboard > Settings. When you delete your account:

All encrypted refresh tokens are permanently deleted.
All health scores, recommendations, and audit history are removed.
All MCP OAuth tokens, sessions, and client registrations are invalidated and purged.
Your login session is terminated immediately.
This process is irreversible — we cannot recover deleted data.

For Meta Ads users, we also support the Meta Data Deletion Callback. When you remove AdWhiz from your Facebook settings, Meta automatically notifies us and we delete all your Meta-related data.

Google OAuth Verification#

AdWhiz has completed Google's OAuth verification process, which includes a security assessment and a review of our data handling practices. The Google "Sign in with Google" button and Google Ads connection on adwhiz.ai are verified and approved by Google. You can verify this by checking the consent screen when you connect — it should show "AdWhiz" as a verified app, not an unverified warning.

Reporting Security Issues#

If you discover a security vulnerability in AdWhiz, please email us at support@adwhiz.ai with the subject line "Security Report." We take all reports seriously and will respond within 48 hours. Please do not publicly disclose vulnerabilities before we have had a chance to investigate and address them.

Questions?#

If you have any security concerns or questions not covered here, reach out to us at support@adwhiz.ai or through the contact form at adwhiz.ai/contact. We are happy to provide additional detail about our security practices.