We can read your GA4 data. We cannot change it.

We request the `analytics.readonly` OAuth scope and nothing more. Google enforces it - any write or modify call to the GA4 Admin or Data API is rejected before it leaves the OAuth boundary.

• Requests are limited to the `https://www.googleapis.com/auth/analytics.readonly` scope.
• Write permissions are neither requested nor granted.
• It is physically impossible to modify property settings, events, or user data.
• Access is verified and enforced by Google's OAuth 2.0 implementation.

Authentication is delegated to Google via the OAuth 2.0 Authorization Code Flow with PKCE. We never handle or see your Google credentials.

• Standard OAuth 2.0 Authorization Code flow with PKCE.
• Google handles the entire credential exchange; we receive only an auth token.
• Short-lived access tokens expire after one hour.
• Refresh tokens are stored encrypted using the Fernet symmetric algorithm.

OAuth refresh tokens are encrypted at rest using Fernet (AES-128-CBC with PKCS7 padding and HMAC-SHA256 for integrity). Encryption keys are managed as environment variables, separate from the application codebase.

• Fernet symmetric encryption (AES-128-CBC).
• HMAC-SHA256 signature ensures token integrity and authenticity.
• Encryption keys are injected at runtime from environment variables.
• Tokens are never logged or stored in plaintext.

Raw data fetched from Google Analytics APIs is processed in-memory and immediately discarded. The only data persisted to our database are the audit outputs: findings, scores, and generated reports.

• Raw API responses are processed in-memory and never written to disk.
• Only aggregated audit results (pass/fail, scores) are persisted.
• No event-level or user-level GA4 data is stored.
• Personally Identifiable Information (PII) is not requested, processed, or stored.

All network communication, both to our services and from our services to Google APIs, is encrypted using TLS 1.2 or higher. HSTS headers are enabled to prevent protocol downgrade attacks.

• TLS 1.2+ enforced for all client and server communication.
• HTTP Strict Transport Security (HSTS) headers are enabled on all endpoints.
• API requests to Google services are made over encrypted connections.
• Plaintext HTTP is disabled.

The backend runs on Google Cloud Run. Each request is handled by a short-lived, stateless container, so data from one request cannot persist into another.

• Container-level process isolation for every request.
• Stateless architecture prevents cross-request data contamination.
• Containers are provisioned on-demand and destroyed after execution.
• Infrastructure is fully managed and patched by Google Cloud.

We use Supabase (PostgreSQL) with Row-Level Security (RLS) policies on all tables containing tenant data. Data access rules are enforced at the database layer, ensuring users can only query their own organisation's data.

• RLS policies are applied to every table containing customer data.
• Database queries are automatically filtered based on the authenticated user's ID.
• Isolation is enforced by the database itself, not just the application layer.
• Prevents accidental data exposure between tenants.

You retain full control over the OAuth grant. Access can be revoked instantly from your Tag & Analytics Audit dashboard or directly from your Google Account settings. Revocation triggers the immediate deletion of stored tokens.

• One-click disconnect within the application dashboard.
• Revoke access directly via myaccount.google.com/permissions.
• OAuth tokens are permanently deleted upon revocation.
• All associated audit data is purged within 24 hours of revocation.