Legal
Privacy Policy
Last updated: March 2026 · GA4 Health Check is operated by Native Ore Analytics.
The short version: We access your Google Analytics data read-only to run your audit. We don't store your raw analytics data. We don't sell your information. You can revoke our access from Google at any time.
Who we are
GA4 Health Check is an automated GA4 auditing tool operated by Native Ore Analytics. We can be reached at hello@nativeoreanalytics.com.
What we access
To run a GA4 audit, we request read-only OAuth access to your Google account with the following scopes:
- Google Analytics Read & Analyze — to query your GA4 property data via the Google Analytics Data API
- Google Analytics Edit — read-only access to your GA4 Admin configuration (property settings, streams, audiences). Despite the name, we use this scope only to read configuration — we never modify anything.
We use these permissions only to run your audit. We do not access any other Google services, Google Drive, Gmail, or data outside of your GA4 property.
What we store
We store the minimum necessary to operate the service:
- Your email address and name — from your Google account, used to identify your session and send you your report
- Audit job results — the findings and scores from your audit, stored temporarily (24 hours) so you can download your PDF report. Raw GA4 event data is never stored.
- Session tokens — a JWT token stored in your browser's localStorage to keep you signed in. Expires after 7 days.
We do not store your raw Google Analytics data. Query results are processed in memory to generate your report and then discarded.
What we never do
- We never modify, delete, or export your GA4 data
- We never sell or share your personal information with third parties for marketing purposes
- We never retain your GA4 raw event data beyond the audit session
- We never access GA4 properties you haven't explicitly selected for audit
How we use your information
Information we collect is used to:
- Run your GA4 audit and generate your report
- Send you your PDF report by email if requested
- Communicate service updates or important notices
- Improve the audit checks and product experience
Third-party services
GA4 Health Check uses the following third-party infrastructure:
- Google OAuth — for authentication and GA4 API access
- Railway — our backend hosting provider (United States)
- Netlify — our frontend hosting provider (United States)
- Redis — temporary session and job storage
- Stripe — payment processing. We never see or store your full card details.
Revoking access
You can revoke GA4 Health Check's access to your Google account at any time by visiting myaccount.google.com/permissions and removing GA4 Health Check from the list of connected apps. This immediately terminates our ability to access any of your Google data.
To delete your account data, email hello@nativeoreanalytics.com with the subject "Delete my data" and we will remove all stored information associated with your email address within 7 days.
Cookies and local storage
GA4 Health Check uses browser localStorage to store your authentication token and session preferences. We do not use third-party tracking cookies or advertising cookies. We do not use Google Analytics on our own site.
Data transfers
GA4 Health Check operates from servers in the United States. If you are located outside the United States, your information will be transferred to and processed in the United States. By using GA4 Health Check, you consent to this transfer.
How we protect your data
We take the security of your data seriously. The following mechanisms are in place to protect any information we access or store:
- Encryption in transit — all data transmitted between your browser, our servers, and the Google APIs is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
- Encryption at rest — session tokens and audit results stored in Redis are encrypted at rest by our hosting infrastructure.
- Minimal data retention — audit job results are automatically deleted after 90 days. OAuth tokens are short-lived and never written to permanent storage. Raw GA4 event data is never persisted — it is processed in memory and discarded immediately after your report is generated.
- Access controls — our backend API requires a valid signed JWT token for all authenticated requests. OAuth tokens are stored server-side and never exposed to the browser. Access to production infrastructure is restricted to authorised personnel only.
- Least-privilege OAuth scopes — we request only the minimum Google API scopes required to run your audit. We request read-only access and never request scopes that would allow us to modify, delete, or export your data.
- No third-party data sharing — your Google Analytics data is never shared with, sold to, or processed by any third party. It is used solely to generate your audit report and then discarded.
- Isolated audit jobs — each audit runs in an isolated job scoped to your authenticated session. Your data cannot be accessed by other users.
If you have questions about our security practices or wish to report a vulnerability, please contact us at hello@nativeoreanalytics.com.
Changes to this policy
We may update this privacy policy from time to time. We will note the date of the last update at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.
Contact
Questions about this policy or your data? Email us at hello@nativeoreanalytics.com.