GA4 Audits
Back to Help Center

Security & Privacy

Do you store my GA4 data?

GA4 Audits stores only the results of the audit checks — not your raw GA4 data. Here's the precise breakdown of what is and isn't stored.

What is stored

For each completed audit, GA4 Audits stores the following in its database:

  • Check results — Pass, fail, warning, or skip status for every check that ran.
  • Scores — The numeric score for each module and the overall score.
  • Finding descriptions — The specific finding text generated for failed checks (e.g. "Data retention is set to 2 months").
  • Audit metadata — Audit start/end time, which modules ran, and the property ID.
  • Property configuration — A snapshot of the settings read from the GA4 Admin API (e.g. timezone, data retention setting, stream URL). These are configuration values, not user behavioural data.

What is not stored

The following data is used only during the audit run and is immediately discarded:

  • Raw GA4 Data API query responses (metric and dimension values).
  • Crawled page HTML or network request logs from the headless browser.
  • Any user-level GA4 data (GA4 does not expose this via the API, but confirming it anyway).
  • OAuth access tokens (held in memory only during the audit task and never written to persistent storage).

OAuth refresh tokens are stored securely (encrypted at rest) to allow audits to run without requiring you to re-authenticate each time.

Data retention periods

Audit results are retained for up to 12 months from creation so you can revisit or export them later. Cancelling your subscription does not restart that window.

If you request deletion, we process it within 30 days unless a legal obligation requires us to keep a specific record for longer. You'll receive a 30-day email notice before deletion. You can request immediate deletion of your data at any time via Settings > Account > Delete account.

Security in transit and at rest

All data is encrypted in transit using TLS 1.2+. Stored audit data is encrypted at rest in Supabase PostgreSQL with row-level security (RLS) policies enforced, meaning your data is only accessible to your own account. OAuth refresh tokens are encrypted at the application layer before storage, separate from the database encryption layer.

Still need help?

Contact our support team — we typically respond within 1 business day.

Contact Support