How ClickClickBlock integrates with Google Ads

What ClickClickBlock does with your Google Ads account

Our integration with the Google Ads API has a single, narrowly-scoped purpose: add fraudulent IPs to your campaign or account-level exclusion list so those IPs stop seeing your ads. Below is an exhaustive list of what we do and, critically, what we do not.

The OAuth 2.0 consent flow

ClickClickBlock never stores, requests, or requires your Google Ads password. All access is obtained through Google's standard three-legged OAuth 2.0 flow using the narrow https://www.googleapis.com/auth/adwords scope. You initiate the flow from inside the ClickClickBlock dashboard — nothing happens until you click Connect.

Exact API methods we call

These are the only Google Ads API services ClickClickBlock ever calls. Every call is scoped to the authenticating customer's own customer_id.

Not used

We never call: KeywordPlanService, RecommendationService, ConversionActionService, CustomerClientService (beyond list-accessible), BatchJobService, ReachPlanService, AudienceService, or any reporting beyond campaign name/status lookup.

Disconnecting your Google Ads account

Three ways to disconnect, depending on which side you prefer to drive from:

From within ClickClickBlock

• Account tab → "Disconnect Google Ads" button
• We call oauth2.googleapis.com/revoke with the refresh token to immediately invalidate it on Google's side
• We delete the encrypted refresh token from our database
• Your IP exclusion lists are left as they were (we do not remove previously-synced IPs on disconnect, but you can remove them via the Google Ads UI if you wish)

From your Google Account security page

• Go to myaccount.google.com/permissions
• Find ClickClickBlock and click "Remove access"
• Our next API call will fail with invalid_grant, at which point we automatically delete the stored token and email you to reconnect if you wish

On subscription cancellation

If you cancel your ClickClickBlock subscription, your stored Google Ads refresh token is revoked and deleted within 24 hours.

Data handling & security

What we store

• Your encrypted Google Ads refresh token (AES-256-GCM, per-instance master key)
• Your Google Ads customer_id (needed to target API calls)
• Your login_customer_id if using an MCC (optional)
• The timestamp of connection / disconnection
• A log of which IP exclusions we've pushed, for audit purposes (IP address + timestamp + mutation response ID)

What we do NOT store

• Google Ads access tokens (in-memory only, never persisted, re-minted as needed)
• Campaign data beyond name and ID
• Bid amounts, budgets, conversion data, or audience lists
• Any personally-identifiable Google account information beyond the account email you used to sign up for ClickClickBlock

Infrastructure

• Hosted on Render (US region) with managed HTTPS and filesystem-level encryption at rest
• Database: SQLite on a persistent disk with Render-managed snapshots retained 7 days
• Source code: private GitHub repository; deploys require pushes to a protected main branch
• No third-party sub-processors receive Google Ads data. Stripe sees only billing identifiers; Resend sees only transactional email content

Compliance commitments

• We comply with the Google Ads API Terms & Conditions and the Google API Services User Data Policy, including Limited Use requirements.
• We use the developer token only for the purpose described on this page — click-fraud protection via IP exclusion management — and never transfer, sell, or share it.
• Data retrieved via the Google Ads API is never used for advertising, resold, used for machine-learning training beyond the scope described, or disclosed to any third party.
• We will notify affected customers and, where required, Google within 72 hours of any security incident involving Google Ads API credentials.
• Primary technical contact for API compliance matters: [email protected]