Obi Guitar Factory logoObi Guitar Factory

Security and Data Protection Practices

Obi Guitar Factory applies a minimum-necessary data principle across all service operations. We provide B2B analytics automation and do not operate a consumer social platform. Our systems are designed to support authorized ad account reporting, not personal profiling or data resale. Security controls are integrated into daily operations from onboarding through ongoing service delivery.

Data categories we process

Typical processed data includes ad account identifiers, campaign metadata, spend and delivery metrics, conversion aggregates, and operational audit logs. We may also process business contact details submitted by client representatives for project coordination. We avoid collecting unnecessary sensitive personal data and ask clients not to send payment card information or unrelated personal records through intake channels.

Authorization and permission boundaries

API workflows that involve Meta Marketing API, TikTok Marketing API, or similar services are executed only after client authorization is validated. We support authorized accounts only and run policy compliant integration procedures. Permissions are scoped to required tasks and reviewed if account ownership or administrator assignments change.

Retention and storage controls

Operational logs used for monitoring are typically retained for up to 90 days. Reporting datasets may be retained up to 13 months unless a shorter period is contractually required. Access credentials and tokens are treated as restricted secrets. Data no longer required for service delivery is removed or anonymized during routine cleanup windows, subject to legal and contractual obligations.

Access control, logging, and monitoring

System access is role-based and limited to approved personnel. Significant operations are logged for accountability, including authorization changes and reporting job updates. We monitor for failed synchronization events, unexpected access patterns, and data consistency anomalies so issues can be addressed quickly.

Incident handling

If a security incident with potential client impact is identified, we isolate affected processes, assess scope, and notify relevant contacts without unnecessary delay. Remediation actions and follow-up controls are documented as part of post-incident review.