Privacy Policy

Introduction

GA4 Audits ("we", "us", "our") operates the ga4audits.com website and the GA4 Audits SaaS platform. This Privacy Policy explains what information we collect when you use our service to audit your Google Analytics 4 properties, how we use that information, and the choices you have.

By creating an account or connecting a GA4 property, you agree to the collection and use of information as described in this policy. If you do not agree, please do not use the service.

Information We Collect

Account information

When you sign in with Google, we receive your name, email address, and profile picture from your Google account. We use this to create and manage your GA4 Audits account.

Google OAuth tokens

We store an encrypted OAuth refresh token that allows us to access the Google Analytics APIs on your behalf. Tokens are encrypted using Fernet symmetric encryption before being written to our database. We never store tokens in plaintext.

GA4 property data

When you run an audit, we read configuration metadata from your GA4 properties. This includes property IDs, data stream settings, enhanced measurement configuration, conversion events, custom dimensions and metrics, audience definitions, Google Ads links, BigQuery links, and data retention settings. We also query the GA4 Data API for aggregated traffic, event, and e-commerce reports used to power audit checks.

Audit findings and reports

The results of each audit — including scores, individual check pass/fail statuses, and recommendations — are stored so you can view history and download PDF and CSV reports.

Usage data

We collect basic usage information such as pages visited, features used, browser type, and IP address. This data is used solely to improve the product and diagnose issues.

How We Use Your Data

• Perform audits — connect to the GA4 Admin API and Data API to read your property configuration and run the audit checks available to your plan.
• Generate reports — compile audit findings into downloadable PDF and CSV reports.
• Improve the service — analyse aggregated, anonymised usage patterns to improve audit accuracy and add new checks.
• Communicate with you — send account-related emails such as audit completion notifications, security alerts, and policy updates.

Google & GA4 Access

The current self-serve sign-in flow requests one read-only OAuth scope:

The analytics.readonly scope grants read-only access to your Google Analytics data. It lets us read property settings, stream metadata, and aggregated reporting data required to audit your implementation. This is read-only access: we never write data to Google Analytics and we never modify your GA4 configuration.

We do not currently request BigQuery OAuth access in the standard sign-in flow. If a separate BigQuery parity workflow is introduced in future, that additional scope would be requested separately at the point it is needed.

We use these scopes to access:

• Property configuration and settings
• Data streams and enhanced measurement configuration
• Conversion events and custom dimensions/metrics
• Audience definitions
• Google Ads and BigQuery link configurations
• Data retention settings
• Aggregated traffic, event, and e-commerce reports via the Data API

What we do NOT access:

• Gmail, Google Drive, Google Calendar, or any other Google service
• Personal emails or documents
• Google Ads spend or billing data
• Individual user-level data or PII stored in GA4 reports

We never write data back to Google Analytics. We never modify your GA4 configuration, GTM containers, or any connected Google property. Our access is strictly read-only.

Data Storage

• Database — Supabase PostgreSQL with row-level security enabled.
• Token encryption — Google OAuth tokens are encrypted using Fernet (AES-128-CBC with HMAC-SHA256) before storage. Encryption keys are managed via environment variables and never committed to source control.
• Application hosting — Google Cloud Run in the europe-west2 (London) region.
• Encryption in transit — all connections use HTTPS/TLS 1.2+.

Data Retention

Security

• All data is encrypted in transit (HTTPS/TLS) and at rest (AES-128-CBC via Fernet for tokens, AES-256 via Supabase for database).
• OAuth tokens are additionally encrypted at the application layer using Fernet before database storage.
• We do not store raw Google Analytics data — only aggregated metrics needed for audit checks.
• Database access is restricted to the application service account with row-level security.
• Infrastructure runs on Google Cloud with SOC 2 and ISO 27001 certified environments.

Third-Party Services

We share data only with the following service providers, each of which is necessary to operate the platform:

• Supabase — database hosting, authentication, and row-level security.
• Google Cloud — application hosting (Cloud Run), API access.
• Stripe — payment processing only. We never see or store your full card number.

We do not sell, rent, or trade your personal data or analytics data to any third party for advertising or marketing purposes.

Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — request correction of inaccurate personal data we hold about you.
• Deletion — request that we delete your account and all associated data.
• Restrict processing — request that we limit how we process your data in certain circumstances.
• Object — object to our processing of your data where we rely on legitimate interest as the legal basis.
• Portability — request an export of your audit data in a machine-readable format.
• Revoke Google access — disconnect your Google account in app settings at any time, or remove GA4 Audits from your Google account permissions.

To exercise any of these rights, email us at support@ga4audits.com.

GDPR & Data Protection

Data Controller

GA4 Audits, United Kingdom. Contact: privacy@ga4audits.com

Lawful Basis for Processing

• Contract performance — we process your GA4 property data to deliver the audit service you requested.
• Legitimate interest — we process usage data to improve our platform and prevent abuse.
• Consent — where required (e.g., optional analytics), we obtain your explicit consent.

Additional Rights Under GDPR

In addition to the rights listed above, EU/UK residents have the right to:

• Rectification of inaccurate personal data
• Restriction of processing
• Object to processing based on legitimate interest
• Lodge a complaint with your local supervisory authority (e.g., the ICO in the United Kingdom: ico.org.uk)

International Data Transfers

Your data is processed on servers in the EU/EEA (Supabase EU region) and may be transferred to Google Cloud services in accordance with Google's data processing terms. Where transfers occur outside the EU/EEA, they are protected by Standard Contractual Clauses (SCCs).

Cookies

We use essential cookies only — specifically, a Supabase authentication session cookie required to keep you signed in. We do not use third-party tracking cookies, advertising cookies, or analytics cookies. See our Cookie Policy for full details.

Children

GA4 Audits is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will promptly delete it.

Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account and update the "Last updated" date at the top of this page. Continued use of the service after notification constitutes acceptance of the updated policy.

Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:

support@ga4audits.com