Privacy Policy

Last updated: January 2025

1. Introduction

GA4 Reports ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our automated Google Analytics 4 reporting service at ga4reports.com (the "Service").

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

2. Information We Collect

2.1 Account Information

When you create an account with GA4 Reports, we collect:

• Email address - Used for account authentication and communication
• Password - Securely hashed and stored by Supabase Auth (we never see your plain-text password)
• Full name - Used to personalize your experience
• Company name - Used for report branding and context

2.2 Google Analytics Data Access

With your explicit authorization through Google OAuth, we request read-only access to your Google Analytics 4 data. Specifically, we request the following OAuth scopes:

• analytics.readonly - Read-only access to your GA4 analytics data
• userinfo.email - Your Google account email for verification

Important: We only access your GA4 data when generating reports. We do NOT store your analytics data permanently. Data is cached temporarily (up to 24 hours) during report generation and then automatically deleted.

The GA4 data we access includes:

• Active users, sessions, page views, bounce rate, conversions, engagement metrics
• Device breakdown (mobile, desktop, tablet)
• Geographic data (country, region)
• Traffic sources (channels, campaigns, UTM parameters)
• User demographics (age brackets, gender when available)
• E-commerce data (revenue, transactions, items - if enabled in your GA4)
• Custom events and site search data
• Browser, operating system, and screen resolution data

We store OAuth tokens (access token, refresh token, expiry date) encrypted in our database to maintain your connection to Google Analytics without requiring re-authentication for every report.

2.3 Custom Branding Information

If you customize your reports, we collect:

• Company logo URL
• Brand color (hex code)
• Website URL
• White-label preferences

2.4 Report Data

We store information about the reports you create:

• Report title and description
• Template selected (Comprehensive, Concise, Executive, etc.)
• Date range and metrics selected
• AI-generated insights and recommendations
• PDF customization settings
• Folder organization
• Scheduled report configurations (frequency, recipients, timing)

2.5 Usage Information

We automatically collect information about how you use our Service:

• Pages visited and features used
• Time spent on the platform
• Report creation and access history
• Annotations (important dates you mark)
• Custom segments (saved analytics filters)

2.6 Payment Information

Payment processing is handled entirely by Stripe. We do NOT store your credit card information. We only store:

• Stripe customer ID
• Stripe subscription ID
• Your selected pricing tier (Starter, Professional, or Agency)

3. How We Use Your Information

We use the information we collect to:

• Provide the Service - Generate automated GA4 reports with AI-powered insights
• Authenticate your account - Verify your identity and maintain secure access
• Process payments - Manage subscriptions and billing through Stripe
• Send scheduled reports - Deliver reports via email to recipients you specify
• Communicate with you - Send important updates, notifications, and support responses
• Improve our Service - Analyze usage patterns to enhance features and user experience
• Provide customer support - Respond to your questions and troubleshoot issues
• Comply with legal obligations - Meet regulatory requirements and enforce our Terms of Service

We do NOT:

• Sell your personal data to third parties
• Use your GA4 data for any purpose other than generating your reports
• Share your analytics data with other users or companies
• Use your data for advertising or marketing to third parties

4. Third-Party Services

We use the following trusted third-party services to operate our platform:

4.1 Google (OAuth & Analytics API)

• Purpose: OAuth authentication and accessing your GA4 data
• Data shared: OAuth tokens, GA4 property IDs
• Privacy policy: https://policies.google.com/privacy

4.2 Stripe

• Purpose: Payment processing and subscription management
• Data shared: Email, billing information (handled directly by Stripe)
• Privacy policy: https://stripe.com/privacy

4.3 Supabase

• Purpose: Database, authentication, and backend infrastructure
• Data shared: All account and report data
• Privacy policy: https://supabase.com/privacy

4.4 Resend

• Purpose: Email delivery for scheduled reports and notifications
• Data shared: Email addresses, report content
• Privacy policy: https://resend.com/legal/privacy-policy

4.5 Vercel (Hosting)

• Purpose: Application hosting and infrastructure
• Data shared: Server logs, performance metrics
• Privacy policy: https://vercel.com/legal/privacy-policy

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit - All data transmitted between your browser and our servers uses HTTPS/TLS encryption
• Encryption at rest - Sensitive data (OAuth tokens, passwords) is encrypted in our database
• Row-level security (RLS) - Database policies ensure users can only access their own data
• Regular security audits - We conduct periodic security reviews and vulnerability assessments
• Secure authentication - Passwords are hashed using industry-standard algorithms
• Access controls - Limited employee access to production data

However, no method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

6. Data Retention

• Account information: Retained while your account is active
• GA4 analytics data: Cached temporarily (up to 24 hours) during report generation, then automatically deleted
• Generated reports: Stored indefinitely unless you delete them
• OAuth tokens: Stored encrypted until you disconnect your GA4 account
• Payment records: Retained as required by law for tax and accounting purposes
• Temporary PDF tokens: Auto-deleted after expiration (typically 24 hours)

When you delete your account, all associated data (reports, settings, OAuth tokens) is permanently deleted from our database within 30 days.

7. Your Rights (GDPR Compliance)

We are fully compliant with the General Data Protection Regulation (GDPR). If you are in the European Economic Area (EEA), you have the following rights:

• Right to access - Request a copy of all personal data we hold about you
• Right to rectification - Correct inaccurate or incomplete data
• Right to erasure - Request deletion of your personal data ("right to be forgotten")
• Right to restrict processing - Limit how we use your data
• Right to data portability - Receive your data in a machine-readable format
• Right to object - Object to certain types of processing
• Right to withdraw consent - Revoke consent for data processing at any time

To exercise any of these rights, please contact us at privacy@ga4reports.com. We will respond to your request within 30 days.

8. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act:

• Right to know what personal information is collected
• Right to know if personal information is sold or disclosed
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to deletion of personal information
• Right to non-discrimination for exercising your rights

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, please contact us immediately.

10. International Data Transfers

Your information may be transferred to and maintained on servers located outside of your country where data protection laws may differ. By using our Service, you consent to the transfer of your information to the United States and other countries where our service providers operate.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

• Posting the new Privacy Policy on this page
• Updating the "Last updated" date at the top
• Sending you an email notification for material changes

You are advised to review this Privacy Policy periodically. Changes are effective when posted on this page.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

13. Google API Services User Data Policy

GA4 Reports' use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request the minimum scopes necessary to provide our Service
• We use your Google Analytics data solely to generate reports for you
• We do not transfer your Google data to third parties (except as required to provide the Service)
• We do not use your Google data for advertising purposes
• We do not allow humans to read your data unless necessary for security, compliance, or with your consent