Privacy Policy

Introduction

GA4 Audits ("we", "us", "our") operates the ga4auditor.com website and the GA4 Audits SaaS platform. This Privacy Policy explains what information we collect when you use our service to audit your Google Analytics 4 properties, how we use that information, and the choices you have.

By creating an account or connecting a GA4 property, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.

Information We Collect

Account information

When you sign in with Google, we receive your name, email address, and profile picture from your Google account. We use this to create and manage your GA4 Audits account.

Google OAuth tokens

We store an encrypted OAuth refresh token that allows us to access the Google Analytics APIs on your behalf. Tokens are encrypted using Fernet symmetric encryption before being written to our database. We never store tokens in plaintext.

GA4 property data

When you run an audit, we read configuration metadata from your GA4 properties. This includes property IDs, data stream settings, enhanced measurement configuration, conversion events, custom dimensions and metrics, audience definitions, Google Ads links, BigQuery links, and data retention settings. We also query the GA4 Data API for aggregated traffic, event, and e-commerce reports used to power audit checks.

Audit findings and reports

The results of each audit — including scores, individual check pass/fail statuses, and recommendations — are stored so you can view history and download PDF and CSV reports.

Usage data

We collect basic usage information such as pages visited, features used, browser type, and IP address. This data is used solely to improve the product and diagnose issues.

How We Use Your Data

• Perform audits — connect to the GA4 Admin API and Data API to read your property configuration and run 213+ automated checks.
• Generate reports — compile audit findings into downloadable PDF and CSV reports.
• Improve the service — analyse aggregated, anonymised usage patterns to improve audit accuracy and add new checks.
• Communicate with you — send account-related emails such as audit completion notifications, security alerts, and policy updates.

Google & GA4 Access

We request a single, read-only OAuth scope:

This scope grants read-only access to your Google Analytics data. We use it to access:

• Property configuration and settings
• Data streams and enhanced measurement configuration
• Conversion events and custom dimensions/metrics
• Audience definitions
• Google Ads and BigQuery link configurations
• Data retention settings
• Aggregated traffic, event, and e-commerce reports via the Data API

What we do NOT access:

• Gmail, Google Drive, Google Calendar, or any other Google service
• Personal emails or documents
• Google Ads spend or billing data
• Individual user-level data or PII stored in GA4 reports

We never write data back to Google Analytics. We never modify your GA4 configuration, GTM containers, or any connected Google property. Our access is strictly read-only.

Data Storage

• Database — Supabase PostgreSQL with row-level security enabled.
• Token encryption — Google OAuth tokens are encrypted using Fernet (AES-128-CBC with HMAC-SHA256) before storage. Encryption keys are managed via environment variables and never committed to source control.
• Application hosting — Google Cloud Run in the europe-west2 (London) region.
• Encryption in transit — all connections use HTTPS/TLS 1.2+.

Data Retention

Security

• All data is encrypted in transit (HTTPS/TLS) and at rest (AES-256 via Supabase).
• OAuth tokens are additionally encrypted at the application layer using Fernet before database storage.
• We do not store raw Google Analytics data — only aggregated metrics needed for audit checks.
• Database access is restricted to the application service account with row-level security.
• Infrastructure runs on Google Cloud with SOC 2 and ISO 27001 certified environments.

Third-Party Services

We share data only with the following service providers, each of which is necessary to operate the platform:

• Supabase — database hosting, authentication, and row-level security.
• Google Cloud — application hosting (Cloud Run), API access.
• Stripe — payment processing only. We never see or store your full card number.

We do not sell, rent, or trade your personal data or analytics data to any third party for advertising or marketing purposes.

Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — request a copy of the personal data we hold about you.
• Deletion — request that we delete your account and all associated data.
• Portability — request an export of your audit data in a machine-readable format.
• Revoke Google access — disconnect your Google account in app settings at any time, or remove GA4 Audits from your Google account permissions.

To exercise any of these rights, email us at hello@ga4auditor.com.

Cookies

We use essential cookies only — specifically, a Supabase authentication session cookie required to keep you signed in. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. See our Cookie Policy for full details.

Children

GA4 Audits is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account and update the "Last updated" date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

hello@ga4auditor.com