{"id":37,"date":"2025-12-17T08:39:23","date_gmt":"2025-12-17T07:39:23","guid":{"rendered":"https:\/\/www.ga4-auditor.dev\/privacy-policy\/"},"modified":"2026-01-14T08:15:09","modified_gmt":"2026-01-14T07:15:09","slug":"privacy-policy","status":"publish","type":"page","link":"https:\/\/ga4-auditor.dev\/en\/privacy-policy\/","title":{"rendered":"Privacy Policy"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\" id=\"1-verantwortlicher\">1) Controller<\/h2>\n\n<p><strong>Controller within the meaning of the GDPR:<\/strong><\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Company\/Name:<\/strong> Bernhard Prange, Webmasterei Prange<\/li>\n\n\n\n<li><strong>Address:<\/strong> Weg in der Aue 3, 34128 Kassel, Germany<\/li>\n\n\n\n<li><strong>E-mail:<\/strong> <a href=\"mailto:info@webmasterei-prange.de\">info@webmasterei-prange.de<\/a><\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"2-kurzbeschreibung-der-app\">2) Brief description of the app<\/h2>\n\n<p><strong>GA4 Auditor<\/strong> is a web application for analyzing Google Analytics 4 (GA4) setups and data quality.<\/p>\n\n<p>The app:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>authenticates users via <strong>Google OAuth (OpenID Connect)<\/strong>,<\/li>\n\n\n\n<li>reads configuration data via the <strong>GA4 Admin API<\/strong>,<\/li>\n\n\n\n<li>reads aggregated reporting and real-time data via the <strong>GA4 Data API<\/strong>,<\/li>\n\n\n\n<li>optionally performs queries on an existing <strong>GA4 BigQuery Export<\/strong> (Dataset <code>analytics_&lt;PROPERTY_ID&gt;<\/code>).<\/li>\n<\/ul>\n\n<p>The app <strong>does not write data<\/strong> to GA4 or BigQuery and makes <strong>no changes<\/strong> to GA4 configurations.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"3-welche-daten-verarbeiten-wir\">3) What data do we process?<\/h2>\n\n<h3 class=\"wp-block-heading\" id=\"31-account--und-profildaten-google-login\">3.1 Account and profile data (Google Login)<\/h3>\n\n<p>When logging in via Google OAuth, we process in particular:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>E-mail address<\/strong><\/li>\n\n\n\n<li><strong>Display name<\/strong><\/li>\n\n\n\n<li><strong>Profile picture URL<\/strong> (optional)<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\" id=\"32-organisations--workspace--und-property-daten-in-der-app-gepflegt\">3.2 Organization, workspace and property data (maintained in the app)<\/h3>\n\n<p>To provide the app functions, we store and process configuration data, in particular:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Organization data:<\/strong> Organization name; optional address data (street, postal code, city, country)<\/li>\n\n\n\n<li><strong>Workspace data:<\/strong> e.g. GCP project ID, region, technical configurations (e.g. backend\/Dataform configuration) as JSON<\/li>\n\n\n\n<li><strong>Property data:<\/strong> e.g. GA4 property ID, BigQuery project\/dataset location, time zone, expected events<\/li>\n\n\n\n<li><strong>Property-specific settings:<\/strong> e.g. expected events, exclusion lists<\/li>\n<\/ul>\n\n<p><strong>Protective measure:<\/strong> Certain identifiers (e.g. GA4 property IDs) are sometimes not stored in plain text, but as <strong>organization-bound HMAC hashes<\/strong>.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"33-daten-aus-google-apis-ga4--bigquery\">3.3 Data from Google APIs (GA4 \/ BigQuery)<\/h3>\n\n<p>Depending on the functions activated, the app processes data from the following Google services:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>GA4 Admin API:<\/strong> e.g. accounts, properties, BigQuery links, streams, audiences, key events, privacy settings<\/li>\n\n\n\n<li><strong>GA4 Data API:<\/strong> e.g. aggregated reporting and real-time data<\/li>\n\n\n\n<li><strong>Google BigQuery (optional):<\/strong> Execution of queries on GA4 export tables (<code>events_*<\/code>, <code>events_intraday_*<\/code>) to perform quality and plausibility checks<\/li>\n<\/ul>\n\n<p><strong>Principle:<\/strong> This data is predominantly processed <strong>at runtime<\/strong> and displayed in the user interface. <strong>Permanent storage of GA4 raw data<\/strong> does not take place. <\/p>\n\n<h3 class=\"wp-block-heading\" id=\"34-support--und-feedback-daten\">3.4 Support and feedback data<\/h3>\n\n<p>When users use the feedback or support form, we process:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Subject<\/li>\n\n\n\n<li>Message text<\/li>\n\n\n\n<li>Sender data (name and e-mail from the login; optionally a manually specified reply-to address)<\/li>\n<\/ul>\n\n<p>The transmission takes place via <strong>e-mail (SMTP)<\/strong> to a configured support address.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"35-technische-daten-und-server-logs\">3.5 Technical data and server logs<\/h3>\n\n<p>When operating the app, the following data is generated for technical reasons:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>IP address<\/li>\n\n\n\n<li>Date and time of access<\/li>\n\n\n\n<li>Request metadata (e.g. user agent)<\/li>\n<\/ul>\n\n<p>This data is processed for operational security, error analysis and abuse prevention.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"36-webanalyse-matomo-self-hosted-%E2%80%93-nur-nach-einwilligung\">3.6 Web analysis (Matomo, self-hosted) \u2013 only with consent<\/h3>\n\n<p>If we use web analysis, we use <strong>Matomo (self-hosted)<\/strong> for statistical analysis and improvement of the app.<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Matomo is only activated after your <strong>consent<\/strong>.<\/li>\n\n\n\n<li>Usage data (e.g. pages accessed, interactions), technical metadata (e.g. shortened\/anonymized IP) and a <strong>pseudonymous user ID<\/strong> can be processed.<\/li>\n<\/ul>\n\n<p><strong>No plain text e-mail addresses<\/strong>, OAuth tokens or comparable secrets are transmitted to Matomo.<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"37-e-mail-kommunikation-und-kontaktverwaltung-zb-brevo-%E2%80%93-je-nach-konfiguration\">3.7 E-mail communication and contact management \u2013 depending on configuration<\/h3>\n\n<p>Depending on the configuration, we can use a service for e-mail communication\/contact management, e.g. for:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Sending system e-mails (invitations, notifications)<\/li>\n\n\n\n<li>optional: product and service-related information<\/li>\n<\/ul>\n\n<p>Depending on the function, e-mail address, name and usage-related attributes (e.g. number of logins, last login, number of properties) can be processed in particular.<\/p>\n\n<p>OAuth tokens\/secrets are not transmitted to e-mail\/marketing services.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"4-zwecke-der-verarbeitung\">4) Purposes of processing<\/h2>\n\n<p>We process personal data in particular for the following purposes:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Provision of login and account functions<\/li>\n\n\n\n<li>Management of organizations, workspaces and properties<\/li>\n\n\n\n<li>Execution and display of GA4 and (optional) BigQuery analyses<\/li>\n\n\n\n<li>Sending system e-mails (e.g. invitations, security-relevant information)<\/li>\n\n\n\n<li>Sending product and service-related information to existing customers (soft opt-in), insofar as permitted and can be unsubscribed at any time<\/li>\n\n\n\n<li>Processing of support and feedback requests<\/li>\n\n\n\n<li>Ensuring security, stability and abuse prevention<\/li>\n\n\n\n<li>optional: statistical web analysis (only with consent)<\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"5-rechtsgrundlagen\">5) Legal bases<\/h2>\n\n<p>Depending on the processing operation, the following legal bases may be considered in particular:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Art. 6 para. 1 lit. b GDPR<\/strong> (contract or pre-contractual measures; e.g. account operation, system e-mails)<\/li>\n\n\n\n<li><strong>Art. 6 para. 1 lit. f GDPR<\/strong> (legitimate interest; e.g. IT security, error analysis, abuse prevention)<\/li>\n\n\n\n<li><strong>Art. 6 para. 1 lit. a GDPR<\/strong> (consent; e.g. web analysis, if activated)<\/li>\n<\/ul>\n\n<p>Insofar as information is stored on or read from the end device within the scope of optional functions (e.g. cookies\/IDs for web analysis), this is done \u2013 insofar as required \u2013 on the basis of <strong>consent pursuant to Section 25 TDDDG<\/strong>.<\/p>\n\n<p>Insofar as we send product and service-related information to existing customers, we base this \u2013 if applicable \u2013 on the existing customer exception (e.g. <strong>Section 7 para. 3 UWG<\/strong>) and\/or on <strong>Art. 6 para. 1 lit. f GDPR<\/strong>. You can object to this use at any time; there is an unsubscribe option in every e-mail. <\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"6-empf%C3%A4nger-und-auftragsverarbeiter\">6) Recipients and processors<\/h2>\n\n<p>Depending on usage and configuration, data can be transmitted to the following recipients or categories of service providers:<\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Google<\/strong> (OAuth, GA4 Admin API, GA4 Data API; optional BigQuery) \u2013 to provide the Google functions requested by users.<\/li>\n\n\n\n<li><strong>Hosting\/platform operation<\/strong> (e.g. Google Cloud Platform) \u2013 operation of the app infrastructure.<\/li>\n\n\n\n<li><strong>E-mail\/SMTP service provider<\/strong> \u2013 sending invitations, system e-mails and support messages.<\/li>\n\n\n\n<li><strong>Web analysis\/tag management (optional):<\/strong> Matomo (self-hosted) \u2013 only with consent.<\/li>\n\n\n\n<li><strong>Contact management\/e-mail service (optional):<\/strong> e.g. Brevo \u2013 depending on configuration and legal basis.<\/li>\n<\/ul>\n\n<p><strong>Data processing agreements (DPA)<\/strong> are concluded with service providers \u2013 insofar as required.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"7-daten%C3%BCbermittlung-in-drittl%C3%A4nder\">7) Data transfer to third countries<\/h2>\n\n<p>When using external service providers (in particular <strong>Google<\/strong> and, if applicable, other providers), the processing or transfer of personal data to third countries (e.g. USA) cannot be excluded.<\/p>\n\n<p>If necessary, we base third-country transfers on suitable guarantees, in particular:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Adequacy decisions (e.g. EU\u2013US Data Privacy Framework, if applicable) and\/or<\/li>\n\n\n\n<li>EU standard contractual clauses (SCC) and additional measures.<\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"8-cookies-sessions-und-einwilligungsmanagement\">8) Cookies, sessions and consent management<\/h2>\n\n<p>The app uses technically necessary cookies:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Session cookie for login and session management<\/li>\n\n\n\n<li>short-lived cookie for the OAuth login transfer (contains only a random transfer ID, <strong>no OAuth tokens<\/strong>)<\/li>\n<\/ul>\n\n<p>Optional cookies\/technologies (web analysis) are \u2013 if used \u2013 only activated after your <strong>consent<\/strong>.<\/p>\n\n<p>Cookies are \u2013 as far as technically possible \u2013 set with <strong>HttpOnly<\/strong>, <strong>SameSite=Lax<\/strong> and <strong>Secure<\/strong> (with HTTPS).<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"9-speicherdauer-und-l%C3%B6schung\">9) Storage period and deletion<\/h2>\n\n<p>We only store personal data for as long as this is necessary for the respective purposes. Unless statutory retention obligations prevent this, the following deadlines apply in particular: <\/p>\n\n<ul class=\"wp-block-list\">\n<li><strong>Account and organization data:<\/strong> until the account is deleted; thereafter, deletion\/anonymization usually takes place within <strong>30 days<\/strong> (longer storage if legally required).<\/li>\n\n\n\n<li><strong>Workspace\/property configurations:<\/strong> until deletion by the organization or until account deletion; thereafter, deletion usually takes place within <strong>30 days<\/strong>.<\/li>\n\n\n\n<li><strong>Invitations:<\/strong> until acceptance or expiry; thereafter, deletion usually takes place within <strong>90 days<\/strong>.<\/li>\n\n\n\n<li><strong>OAuth Access Tokens:<\/strong> only briefly in the active session (typically minutes\/hours).<\/li>\n\n\n\n<li><strong>OAuth Refresh Tokens (if available):<\/strong> until revocation by the user, expiry or account deletion; thereafter, deletion usually takes place within <strong>30 days<\/strong>.<\/li>\n\n\n\n<li><strong>OAuth Login Transfers (short-lived):<\/strong> a few seconds\/minutes; automatic cleanup after <strong>24 hours<\/strong> at the latest.<\/li>\n\n\n\n<li><strong>Server logs\/security logs:<\/strong> usually <strong>14 days<\/strong>, unless required for longer to investigate a security incident.<\/li>\n\n\n\n<li><strong>Support\/feedback communication:<\/strong> usually up to <strong>24 months<\/strong> (or shorter if the purpose ceases earlier), possibly longer in the event of legal obligations to provide evidence.<\/li>\n\n\n\n<li><strong>Backups:<\/strong> Backups can still contain data for up to <strong>35 days<\/strong>; these are overwritten\/deleted on a regular basis.<\/li>\n<\/ul>\n\n<h3 class=\"wp-block-heading\" id=\"91-kontol%C3%B6schung--l%C3%B6schanfragen\">9.1 Account deletion \/ deletion requests<\/h3>\n\n<p>You can delete your account and\/or your data:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>via the app settings (if available) or<\/li>\n\n\n\n<li>by e-mail to <strong><a href=\"mailto:info@webmasterei-prange.de\">info@webmasterei-prange.de<\/a><\/strong><\/li>\n<\/ul>\n\n<p>apply. We process deletion requests usually within <strong>30 days<\/strong>, unless there are any legal obligations to the contrary. <\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"10-datensicherheit\">10) Data security<\/h2>\n\n<p>We use appropriate technical and organizational measures, including:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Encryption of sensitive data and tokens \u201cat rest\u201d<\/li>\n\n\n\n<li>HTTPS transport encryption<\/li>\n\n\n\n<li>role-based authorization and access concept<\/li>\n\n\n\n<li>Hardening of the session and cookie configuration<\/li>\n<\/ul>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"11-betroffenenrechte\">11) Rights of data subjects<\/h2>\n\n<p>Data subjects have in particular the right to:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>Information<\/li>\n\n\n\n<li>Correction<\/li>\n\n\n\n<li>Deletion<\/li>\n\n\n\n<li>Restriction of processing<\/li>\n\n\n\n<li>Data portability<\/li>\n\n\n\n<li>Objection to the processing<\/li>\n\n\n\n<li>Revocation of granted consents<\/li>\n\n\n\n<li>Complaint to a data protection supervisory authority<\/li>\n<\/ul>\n\n<p>Requests can be sent to <strong><a href=\"mailto:info@webmasterei-prange.de\">info@webmasterei-prange.de<\/a><\/strong>.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"12-google-oauth--google-api-nutzung\">12) Google OAuth \/ Google API Usage<\/h2>\n\n<h3 class=\"wp-block-heading\" id=\"121-widerruf-von-google-zugriffen\">12.1 Revocation of Google access<\/h3>\n\n<p>Users can revoke the app&#8217;s access to their Google account at any time in the settings of their Google account (third-party access).<\/p>\n\n<h3 class=\"wp-block-heading\" id=\"122-keine-unzul%C3%A4ssigen-verwendungen-klarstellung\">12.2 No impermissible uses (clarification)<\/h3>\n\n<p>We use Google user data exclusively to provide and improve the functions requested by users (GA4 analysis, quality checks).<\/p>\n\n<p>In particular, the following applies:<\/p>\n\n<ul class=\"wp-block-list\">\n<li>We do <strong>not sell<\/strong> Google user data.<\/li>\n\n\n\n<li>We do <strong>not<\/strong> use data from Google APIs (in particular GA4\/BigQuery query data and OAuth tokens) for advertising\/marketing, profiling, data broker purposes or credit scoring.<\/li>\n\n\n\n<li>We do <strong>not<\/strong> use Google user data to train AI\/ML models.<\/li>\n<\/ul>\n\n<p>We send system and service-related e-mails (e.g. invitations, security-relevant information), if necessary, to the contact address you used to use the app.<\/p>\n\n<p>If we send you information about our own similar products or services as an existing customer, this will only be done to the extent permitted by law (e.g. Section 7 para. 3 UWG) and with the possibility of objecting\/unsubscribing at any time. We only use the e-mail address as a contact address for this; content\/results from GA4\/BigQuery queries or OAuth tokens are not used for this or transmitted to e-mail\/marketing services. <\/p>\n\n<h3 class=\"wp-block-heading\" id=\"123-google-api-services-user-data-policy-%E2%80%93-limited-use\">12.3 Google API Services User Data Policy \u2013 Limited Use<\/h3>\n\n<p>Our use and transfer of information that we receive from Google APIs is in accordance with the <strong>Google API Services User Data Policy<\/strong>, including the requirements for <strong>Limited Use<\/strong>.<\/p>\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n<h2 class=\"wp-block-heading\" id=\"13-%C3%A4nderungen-dieser-datenschutzerkl%C3%A4rung\">13) Changes to this privacy policy<\/h2>\n\n<p>We reserve the right to adapt this privacy policy to reflect legal, technical or organizational changes.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>1) Controller Controller within the meaning of the GDPR: 2) Brief description of the app GA4 Auditor is a web application for analyzing Google Analytics 4 (GA4) setups and data quality. The app: The app does not write data to GA4 or BigQuery and makes no changes to GA4 configurations. 3) What data do we&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"open","template":"","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kadence_starter_templates_imported_post":false,"_swpsp_post_exclude":false,"_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","slim_seo":{"title":"Privacy Policy - GA4 Auditor","description":"1) Controller Controller within the meaning of the GDPR: 2) Brief description of the app GA4 Auditor is a web application for analyzing Google Analytics 4 (GA4)"},"footnotes":""},"class_list":["post-37","page","type-page","status-publish","hentry"],"taxonomy_info":[],"featured_image_src_large":false,"author_info":{"display_name":"Bernhard Prange","author_link":"https:\/\/ga4-auditor.dev\/en\/author\/masterben\/"},"comment_info":0,"_links":{"self":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/pages\/37","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/comments?post=37"}],"version-history":[{"count":3,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/pages\/37\/revisions"}],"predecessor-version":[{"id":163,"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/pages\/37\/revisions\/163"}],"wp:attachment":[{"href":"https:\/\/ga4-auditor.dev\/en\/wp-json\/wp\/v2\/media?parent=37"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}