Privacy Policy

We do not sell, rent, or trade your personal information. We share data only with the following third-party service providers, solely to operate the Service:

• Google APIs: Used to access your GA4 data via OAuth 2.0 with read-only permissions.
• Supabase: Used for user authentication and secure data storage.
• Render: Used to host the ConvRadar web application and the MCP connector server.
• Resend: Used to send passwordless magic-link sign-in emails.
• Stripe: Used to process subscription billing where you choose to subscribe.
• ScreenshotOne / Browserless: Used solely to capture screenshots of public pages on your own site that you ask the Service to verify.
• Google Tag Manager: Used for website analytics tracking.

We maintain a complete list of third-party processors with the categories of data they handle and their hosting regions on our Subprocessors page. The list is updated when our stack changes.

ConvRadar's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

• We only request read-only access to your GA4 data.
• We do not sell, share, or use Google user data for advertising purposes.
• We do not allow humans to read your Google user data except where necessary to provide the Service, with your explicit consent, for security purposes, or to comply with applicable law.
• We limit our use of Google user data to providing and improving the Service.

When you use ConvRadar through Claude (Anthropic) or ChatGPT (OpenAI) as an MCP connector, we only receive the specific tool arguments the assistant sends to fulfil your request (for example, a date range, a metric name, or a page URL on your own site). We do not request, receive, log, or store:

• The full content of your conversations with ChatGPT, Claude, or any other AI assistant.
• Claude memory, chat history, conversation summaries, system instructions, or files you upload to Claude or ChatGPT.
• Your OpenAI account, ChatGPT account, Anthropic account, or Claude account identifiers, API keys, or session tokens.
• Any GA4 OAuth scope wider than analytics.readonly.
• Personally identifiable information of GA4 end-users (we read only aggregated metrics and dimensions; the GA4 Data API does not expose raw IPs or user IDs to us).
• Payment card numbers, government IDs, health records, or other special-category personal data.

We follow the principle of data minimisation: we collect only what is required to deliver the audit you requested.

Account data is retained for as long as your account is active. GA4 data fetched for audits is retained for the duration of your active subscription or trial period.

Authentication credentials have hard-coded lifetimes in our MCP server: OAuth refresh tokens auto-expire after 30 days, OAuth authorisation codes after 5 minutes, and JWT access tokens after 1 hour.

You may request deletion of your data at any time by contacting us. Upon account termination, we will delete your personal data within 30 days, except where retention is required by law.

We use industry-standard security measures to protect your data, including encrypted connections (HTTPS), secure token storage for Google OAuth credentials, row-level security (RLS) for tenant isolation in our database, and least-privilege access controls. While no method of transmission or storage is 100% secure, we strive to protect your information using commercially reasonable means.

If you believe you have discovered a security vulnerability in ConvRadar, please report it through our Security Policy or email p••••••n at gmail.com· reveal. We aim to acknowledge reports within 72 hours.

Depending on your location, you may have the following rights regarding your personal data:

• Right to access your personal data.
• Right to rectification of inaccurate data.
• Right to erasure (right to be forgotten).
• Right to restrict processing.
• Right to data portability.
• Right to object to processing.
• Right to withdraw consent at any time.

To exercise any of these rights, please use our Contacts page (subject line [privacy]). You may also revoke ConvRadar's access to your Google account at any time through your Google Account permissions.

We use cookies for the following purposes:

• Authentication cookies: To manage your login session (set by Supabase).
• Analytics cookies: Google Tag Manager may set cookies to collect usage data.

You can control or disable cookies through your browser settings. Disabling cookies may affect the functionality of the Service.

Your data may be processed and stored in countries other than your country of residence, including the United States, where several of our third-party processors (Supabase, Render, Google, Stripe, Resend) operate.

Where the data subject is located in the European Economic Area, the United Kingdom, or Switzerland, transfers of personal data to countries that have not received an adequacy decision are governed by the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor, Implementing Decision (EU) 2021/914), supplemented where required by the UK International Data Transfer Addendum and Swiss FDPIC guidance. The relevant clauses are passed through to our processors via their respective Data Processing Agreements, which are listed on our Subprocessors page.