OAuth and Permissions Explained

Last updated: February 2026

Security First

Luxia uses industry-standard OAuth for secure authentication. We never store your passwords or login credentials. You maintain full control over access to your data.

1. What is OAuth?

OAuth is an industry-standard security protocol that allows you to grant third-party applications (like Luxia) access to your accounts without sharing your password.

How OAuth Works

  1. You click "Connect Google Ads" (or Meta/TikTok) in Luxia
  2. You are redirected to the official Google/Meta/TikTok login page
  3. You log in and review the permissions Luxia is requesting
  4. You approve the permissions (you can deny any permission)
  5. You are redirected back to Luxia with a secure access token
  6. Luxia uses this token to read your marketing data

Your password is never shared with Luxia. Only Google, Meta, or TikTok see your login credentials. Luxia receives only a temporary access token.

2. Luxia Never Stores Passwords

We Do NOT Store:

  • Your Google Ads password
  • Your Meta (Facebook/Instagram) password
  • Your TikTok password
  • Any login credentials in plain text
  • Any master passwords or recovery codes

What we store instead: Encrypted OAuth access tokens that automatically expire and can be revoked at any time.

3. Permission Scopes Explained

When you connect your account, Luxia requests specific permissions (called "scopes"). Here's what each permission means and why we need it:

Google Ads Permissions

Read-Only Access

Luxia can view your Google Ads campaigns, ad groups, keywords, and performance metrics. Luxia cannot make changes to your account.

Campaign Performance Data

Luxia reads impression, click, conversion, cost, and ROI data to analyze your campaign performance and identify optimization opportunities.

Conversion Tracking

Luxia accesses your conversion tracking setup to understand how you measure success and provide accurate ROI analysis.

Meta (Facebook/Instagram) Permissions

Ads Manager Access

Luxia can view your Facebook Ads Manager campaigns, ad sets, ads, and performance metrics. Luxia cannot modify your campaigns.

Audience and Creative Data

Luxia reads audience targeting, creative variations, and performance by creative to identify which messaging resonates with your audience.

Conversion Events

Luxia accesses your conversion events (purchases, leads, sign-ups) to calculate accurate ROAS and identify underperforming segments.

TikTok Ads Permissions

Campaign and Performance Data

Luxia can view your TikTok Ads campaigns, creatives, audience segments, and performance metrics to analyze your TikTok ad effectiveness.

4. Read-Only Access

Luxia Has Read-Only Access

This means Luxia can view your data, but cannot:

  • Pause or stop your campaigns
  • Change your budgets
  • Modify your ads or targeting
  • Delete any campaigns or ads
  • Change your account settings
  • Access any other accounts or data

You maintain 100% control. All decisions remain yours. Luxia provides insights and recommendations, but you execute all changes.

5. Limited Permissions

Luxia requests only the minimum permissions necessary to deliver value:

What Luxia Does NOT Request:

  • Access to your personal social media accounts
  • Access to private messages or customer data
  • Access to billing or payment information
  • Access to other users' accounts
  • Permission to post on your behalf
  • Permission to access your email or contacts

We request only access to marketing performance data necessary for analysis and insights.

6. Revoking Access

You can revoke Luxia's access at any time. Here's how:

Option 1: Through Luxia

  1. Log in to your Luxia account
  2. Go to Settings → Connected Accounts
  3. Click "Disconnect" next to the platform you want to disconnect
  4. Confirm the disconnection
  5. Luxia will immediately stop accessing your data

Option 2: Through Platform

Google Ads

Visit myaccount.google.com/permissions → Find "Luxia" → Click "Remove Access"

Meta (Facebook/Instagram)

Visit facebook.com/settings → Business Integrations → Find "Luxia" → Click "Remove"

TikTok Ads

Visit TikTok Ads Manager → Settings → Authorized Applications → Find "Luxia" → Click "Revoke"

7. Data Retention

When you disconnect your account or delete your Luxia account:

What Happens to Your Data

  • OAuth access tokens are immediately revoked and deleted
  • Cached performance data is deleted within 30 days
  • Aggregated, anonymized insights may be retained for product improvement
  • You can request complete data deletion at any time via [email protected]

For complete data deletion instructions, visit our Data Deletion page.

8. Security Practices

Luxia follows industry-standard security practices to protect your data:

Encryption

All data in transit uses TLS 1.3. All data at rest is encrypted using AES-256.

Token Expiration

OAuth tokens automatically expire after 60 days of inactivity and are refreshed securely.

Access Controls

Role-based access controls ensure only authorized personnel can access infrastructure.

Regular Audits

We conduct regular security audits and penetration testing to identify vulnerabilities.

Questions About OAuth?

If you have questions about OAuth, permissions, or data security, please contact us:

Contact Support