Self-Hosted Ads Analytics

Admaxxer is a DTC analytics platform with built-in Meta + Google ad ops. The self-hosted edition gives you the full product — first-party pixel, 33+ Tinybird pipes, Meta and Google ad-platform connectors, and the Claude-powered AI agent — running on infrastructure you control, with credentials you encrypt, and a Postgres database you own. ## What it does - Runs on your own infra: Replit Deploy for a managed path, or self-host on any Node-compatible host. - Stores every ad-platform credential encrypted at rest with AES-256-GCM, keyed per workspace. - Issues HTTP-only, signed session cookies — no bearer tokens floating around the frontend. - Scopes every query to a workspace: one customer's data never touches another customer's dashboards. - Ships the full analytics stack: first-party pixel, 33+ Tinybird pipes, Postgres (Neon), Upstash Redis for BullMQ workers. ## How it works The deployment topology is intentionally simple. A single Express + TypeScript server renders the React frontend (Vite build), exposes `/api/v1/*` for programmatic clients, and handles webhooks for Stripe and ad-platform callbacks. Postgres is Neon in production by default, though the Drizzle schema is portable to any Postgres. Redis is Upstash over TLS (`rediss://`) for BullMQ insight syncs and token-expiry crons. Tinybird is the analytics warehouse for the first-party pixel. Credentials — Meta user access tokens, Google refresh tokens, developer tokens, GA4 API secrets — never hit Postgres in plaintext. The `server/crypto.ts` module wraps AES-256-GCM with an `ENCRYPTION_KEY` you configure as an environment variable. Rotating that key is a documented operation; losing it is recoverable only by re-connecting the accounts, which is deliberate. Sessions are HTTP-only, signed cookies keyed with `SESSION_SECRET`. The frontend never stores a user's token in localStorage or sessionStorage. This is a boring, deliberate choice — the most common way AI-era dashboards leak credentials is putting long-lived tokens in browser storage. We do not do that. Data scoping is enforced at the Drizzle query layer. Every request resolves a workspace from the session cookie, and every query that reads ad-platform data, pixel events, or chat sessions is filtered on that workspace ID. Cross-workspace reads are impossible by construction, not by policy. The `workspaceMembers` table controls who in a workspace can do what, with owner and member roles. The first-party pixel fires client events to an ingestion endpoint that forwards to Tinybird over Conversions API. Thirty-three-plus pipes compute visitors, revenue, cohorts, blended MER, CAPI match rate, cohort LTV at 7/30/90 days, 1-day and 7-day click attribution, MMM contribution, forecast, and incrementality — all queryable under the workspace. ## Why it matters Hosted analytics vendors promise data portability and usually deliver CSV exports. Admaxxer's self-hosted edition delivers actual data ownership: the Postgres instance is yours, the Tinybird workspace is yours, the pixel fires to your domain. If Admaxxer disappears tomorrow, your data does not. That matters for DTC brands who have been burned by attribution vendors shutting down or pivoting. It matters for agencies who cannot contractually put client data in a shared multi-tenant warehouse. It matters for operators who want to pipe Admaxxer's Tinybird pipes directly into their existing BI stack without going through a vendor API that may rate-limit, deprecate, or charge per call. Encryption at rest with AES-256-GCM, HTTP-only sessions, workspace-scoped queries, and TLS-only Redis add up to a posture that passes a reasonable security review on day one. We do not claim SOC 2 out of the box — that is a company-level commitment — but the product is architected so a self-hosted instance can be audited without surprising the auditor. Finally, the 33+ Tinybird pipes are designed for DTC operators, not for a generic analytics audience. Cohort LTV, blended MER, CAPI match rate, MMM contribution, and attribution windows are the primitives; everything else composes from there. That is the data shape a DTC CFO asks for, and it is the shape Admaxxer ships. ## Who it's for DTC brands with $500k to $50M ARR who want data ownership without hiring a data team. Agencies managing multi-brand portfolios who need hard per-brand data boundaries. Technical operators who read `drizzle-kit push` without flinching and prefer infrastructure they can grep. ## Setup in 15 minutes Deploy on Replit with one click, or self-host on any Node host by cloning the repo, setting `DATABASE_URL`, `REDIS_URL`, `ENCRYPTION_KEY`, `SESSION_SECRET`, `ANTHROPIC_API_KEY`, `STRIPE_SECRET_KEY`, and `APP_URL`, then running `drizzle-kit push` against your Postgres. Full walkthrough in the [install guide](/documentation/install). To see what the stack powers, read [Meta Ads Manager](/features/meta-ads-manager), [Google Ads Manager](/features/google-ads-manager), and [AI Ads Agent](/features/ai-ads-agent). For the pixel deep dive, see the [analytics guide](/guides/first-party-pixel). ## Pricing Self-hosted is included in every plan. Starter is $29/month, Pro is $79/month, Agency is $199/month. Every plan starts with a 7-day free trial and no credit card is required. See [pricing](/pricing) for workspace and seat quotas. ## FAQs **Where exactly is my data stored?** In your Postgres instance (Neon by default, portable to any Postgres) and your Tinybird workspace. Ad-platform credentials are AES-256-GCM encrypted at rest with an ENCRYPTION_KEY you control. **Can I export my data?** Yes. Because the Postgres schema is the single source of truth and Tinybird exposes SQL endpoints, you can export or mirror to any warehouse at any time. There is no vendor lock-in layer in between. **Does self-hosting change the feature set?** No. The self-hosted edition ships the full product — Meta + Google connectors, the Claude AI Ads Agent, all 33+ Tinybird pipes, billing, workspaces, API keys, and webhooks. It is the same codebase.