Privacy Policy

Ascend GTM ("Ascend," "we," "our," or "us")
Effective date: April 27, 2026
Last updated: April 27, 2026

1. Who We Are​

Ascend GTM operates a multi-tenant GTM automation platform and API gateway ("Platform") that enables B2B companies and marketing agencies to connect, orchestrate, and automate their go-to-market workflows across third-party SaaS platforms (including LinkedIn, HubSpot, Salesforce, Google, Meta, Microsoft, and others).

We act as a data processor on behalf of our business clients ("Clients") who configure the Platform to access third-party APIs on their behalf. Our Clients are responsible for their own end-user data and must maintain their own privacy notices where required.

Contact:
Ascend GTM
Email: privacy@ascendgtm.com

2. Scope of This Policy​

This policy covers:

• Data collected when Clients and authorized administrators use the Ascend GTM Platform
• Data processed in transit when the Platform proxies API requests to connected third-party services on a Client's behalf
• Data stored to operate the Platform (OAuth tokens, configuration, audit logs)

This policy does not cover the privacy practices of third-party services (LinkedIn, Google, Salesforce, HubSpot, Meta, Microsoft, etc.) that our Clients connect to the Platform. Those services have their own privacy policies.

3. Data We Collect and Process​

3.1 Account and Configuration Data​

When a Client onboards to the Platform, we collect and store:

• Business contact information (name, email, company name) of authorized administrators
• Tenant configuration: connected API providers, account identifiers, and access scopes requested
• OAuth application credentials (client IDs) for third-party integrations

3.2 OAuth Tokens and Credentials​

To enable API proxy functionality, we securely store:

• OAuth 2.0 access tokens and refresh tokens for connected third-party services
• API keys and bearer tokens for non-OAuth integrations
• Token metadata (expiry timestamps, scopes granted, account identifiers)

All credentials are stored encrypted at rest using Cloudflare's KV and Durable Objects infrastructure. Refresh tokens are managed by automated alarm-based token rotation — they are never transmitted to end-users or exposed in API responses.

3.3 API Request and Response Data​

When the Platform proxies a request to a third-party API on a Client's behalf:

• Request metadata (provider name, endpoint path, HTTP method, tenant identifier, timestamp) may be logged to our audit ledger
• Response bodies are not persistently stored by Ascend GTM unless a Client explicitly configures caching
• Errors and upstream failure events are logged to an error ledger for debugging and alerting

3.4 Usage and Observability Data​

We collect aggregated, non-personally-identifiable usage metrics including:

• API call counts per provider per tenant
• Error rates and latency percentiles
• Tool invocation frequency

These are used solely to operate, improve, and monitor the Platform.

4. Third-Party Integrations​

The Platform is designed to connect to the following categories of third-party services on behalf of Clients. Each integration is authorized by the Client and subject to the respective third party's terms and privacy policy:

When the Platform accesses these services, it does so strictly within the OAuth scopes granted by the Client and consistent with each service's developer policies. Ascend GTM does not sell, rent, or share data obtained from third-party APIs with any party other than the Client that authorized the connection.

LinkedIn-specific: When accessing LinkedIn APIs, the Platform complies with the LinkedIn API Terms of Use. Data retrieved from LinkedIn (ad accounts, campaign data, analytics) is used solely to provide the requested service to the Client and is not used for any secondary purpose, profiling, or re-sale.

5. Legal Bases for Processing (GDPR)​

For Clients and contacts in the European Economic Area (EEA), United Kingdom, or Switzerland, we process personal data under the following legal bases:

• Contractual necessity: Processing required to provide the Platform services under our agreement with the Client
• Legitimate interests: Operating and securing the Platform, fraud prevention, and service improvement
• Legal obligation: Compliance with applicable laws and regulatory requirements
• Consent: Where we rely on consent (e.g., marketing communications), you may withdraw at any time

6. Data Retention​

Clients may request deletion of their data at any time by contacting privacy@ascendgtm.com.

7. Data Security​

We implement the following security measures:

• Encryption in transit: All data transmitted to and from the Platform uses TLS 1.3
• Encryption at rest: Credentials and tokens are stored encrypted using Cloudflare's managed KV and Durable Objects infrastructure
• Access control: Admin endpoints are protected by Cloudflare Access and require authenticated API keys. Token data is never exposed via the API proxy path
• OAuth 2.1 with PKCE: All OAuth flows use PKCE (Proof Key for Code Exchange) with S256 challenge method
• No token exposure: Refresh tokens are stored only in Cloudflare Durable Objects and are never transmitted to end-user clients
• Audit logging: All administrative configuration changes are logged with timestamp, source, and a hash of the old and new values

8. International Data Transfers​

The Platform is operated on Cloudflare's global edge network. Data may be processed in data centers located in the United States and other countries where Cloudflare operates. For EEA/UK data subjects, transfers outside the EEA/UK are covered by Cloudflare's Standard Contractual Clauses (SCCs) with the European Commission.

9. Your Rights​

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Restriction: Request that we limit processing of your data
• Portability: Request your data in a machine-readable format
• Objection: Object to processing based on legitimate interests
• Withdrawal of consent: Withdraw consent at any time where processing is consent-based

To exercise any of these rights, contact us at privacy@ascendgtm.com. We will respond within 30 days (or as required by applicable law).

For California residents, the above rights include those provided under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

10. Cookies and Tracking​

The Ascend GTM API gateway and admin interfaces do not use advertising cookies or third-party tracking technologies. We may use essential session cookies for authentication purposes only.

This documentation site (docs.ascendgtm.net) uses no analytics or tracking cookies.

11. Children's Privacy​

The Platform is a B2B service intended for business use only. We do not knowingly collect personal data from individuals under 16 years of age. If we learn that we have inadvertently collected such data, we will delete it promptly.

12. Changes to This Policy​

We may update this Privacy Policy from time to time. Material changes will be communicated to Clients via email at least 30 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Platform after the effective date constitutes acceptance of the updated policy.

13. Contact Us​

For privacy inquiries, data subject requests, or to report a concern:

Email: privacy@ascendgtm.com
Website: https://docs.ascendgtm.net

For security vulnerabilities, see our Security Policy.

This Privacy Policy was last reviewed and approved on April 27, 2026.