1) Controller

Controller within the meaning of the GDPR:

  • Company/Name: Bernhard Prange, Webmasterei Prange
  • Address: Weg in der Aue 3, 34128 Kassel, Germany
  • E-mail: info@webmasterei-prange.de

2) Brief description of the app

GA4 Auditor is a web application for analyzing Google Analytics 4 (GA4) setups and data quality.

The app:

  • authenticates users via Google OAuth (OpenID Connect),
  • reads configuration data via the GA4 Admin API,
  • reads aggregated reporting and real-time data via the GA4 Data API,
  • optionally performs queries on an existing GA4 BigQuery Export (Dataset analytics_<PROPERTY_ID>).

The app does not write data to GA4 or BigQuery and makes no changes to GA4 configurations.

3) What data do we process?

3.1 Account and profile data (Google Login)

When logging in via Google OAuth, we process in particular:

  • E-mail address
  • Display name
  • Profile picture URL (optional)

3.2 Organization, workspace and property data (maintained in the app)

To provide the app functions, we store and process configuration data, in particular:

  • Organization data: Organization name; optional address data (street, postal code, city, country)
  • Workspace data: e.g. GCP project ID, region, technical configurations (e.g. backend/Dataform configuration) as JSON
  • Property data: e.g. GA4 property ID, BigQuery project/dataset location, time zone, expected events
  • Property-specific settings: e.g. expected events, exclusion lists

Protective measure: Certain identifiers (e.g. GA4 property IDs) are sometimes not stored in plain text, but as organization-bound HMAC hashes.

3.3 Data from Google APIs (GA4 / BigQuery)

Depending on the functions activated, the app processes data from the following Google services:

  • GA4 Admin API: e.g. accounts, properties, BigQuery links, streams, audiences, key events, privacy settings
  • GA4 Data API: e.g. aggregated reporting and real-time data
  • Google BigQuery (optional): Execution of queries on GA4 export tables (events_*, events_intraday_*) to perform quality and plausibility checks

Principle: This data is predominantly processed at runtime and displayed in the user interface. Permanent storage of GA4 raw data does not take place.

3.4 Support and feedback data

When users use the feedback or support form, we process:

  • Subject
  • Message text
  • Sender data (name and e-mail from the login; optionally a manually specified reply-to address)

The transmission takes place via e-mail (SMTP) to a configured support address.

3.5 Technical data and server logs

When operating the app, the following data is generated for technical reasons:

  • IP address
  • Date and time of access
  • Request metadata (e.g. user agent)

This data is processed for operational security, error analysis and abuse prevention.

3.6 Web analysis (Matomo, self-hosted) – only with consent

If we use web analysis, we use Matomo (self-hosted) for statistical analysis and improvement of the app.

  • Matomo is only activated after your consent.
  • Usage data (e.g. pages accessed, interactions), technical metadata (e.g. shortened/anonymized IP) and a pseudonymous user ID can be processed.

No plain text e-mail addresses, OAuth tokens or comparable secrets are transmitted to Matomo.

3.7 E-mail communication and contact management – depending on configuration

Depending on the configuration, we can use a service for e-mail communication/contact management, e.g. for:

  • Sending system e-mails (invitations, notifications)
  • optional: product and service-related information

Depending on the function, e-mail address, name and usage-related attributes (e.g. number of logins, last login, number of properties) can be processed in particular.

OAuth tokens/secrets are not transmitted to e-mail/marketing services.

4) Purposes of processing

We process personal data in particular for the following purposes:

  • Provision of login and account functions
  • Management of organizations, workspaces and properties
  • Execution and display of GA4 and (optional) BigQuery analyses
  • Sending system e-mails (e.g. invitations, security-relevant information)
  • Sending product and service-related information to existing customers (soft opt-in), insofar as permitted and can be unsubscribed at any time
  • Processing of support and feedback requests
  • Ensuring security, stability and abuse prevention
  • optional: statistical web analysis (only with consent)

5) Legal bases

Depending on the processing operation, the following legal bases may be considered in particular:

  • Art. 6 para. 1 lit. b GDPR (contract or pre-contractual measures; e.g. account operation, system e-mails)
  • Art. 6 para. 1 lit. f GDPR (legitimate interest; e.g. IT security, error analysis, abuse prevention)
  • Art. 6 para. 1 lit. a GDPR (consent; e.g. web analysis, if activated)

Insofar as information is stored on or read from the end device within the scope of optional functions (e.g. cookies/IDs for web analysis), this is done – insofar as required – on the basis of consent pursuant to Section 25 TDDDG.

Insofar as we send product and service-related information to existing customers, we base this – if applicable – on the existing customer exception (e.g. Section 7 para. 3 UWG) and/or on Art. 6 para. 1 lit. f GDPR. You can object to this use at any time; there is an unsubscribe option in every e-mail.

6) Recipients and processors

Depending on usage and configuration, data can be transmitted to the following recipients or categories of service providers:

  • Google (OAuth, GA4 Admin API, GA4 Data API; optional BigQuery) – to provide the Google functions requested by users.
  • Hosting/platform operation (e.g. Google Cloud Platform) – operation of the app infrastructure.
  • E-mail/SMTP service provider – sending invitations, system e-mails and support messages.
  • Web analysis/tag management (optional): Matomo (self-hosted) – only with consent.
  • Contact management/e-mail service (optional): e.g. Brevo – depending on configuration and legal basis.

Data processing agreements (DPA) are concluded with service providers – insofar as required.

7) Data transfer to third countries

When using external service providers (in particular Google and, if applicable, other providers), the processing or transfer of personal data to third countries (e.g. USA) cannot be excluded.

If necessary, we base third-country transfers on suitable guarantees, in particular:

  • Adequacy decisions (e.g. EU–US Data Privacy Framework, if applicable) and/or
  • EU standard contractual clauses (SCC) and additional measures.

8) Cookies, sessions and consent management

The app uses technically necessary cookies:

  • Session cookie for login and session management
  • short-lived cookie for the OAuth login transfer (contains only a random transfer ID, no OAuth tokens)

Optional cookies/technologies (web analysis) are – if used – only activated after your consent.

Cookies are – as far as technically possible – set with HttpOnly, SameSite=Lax and Secure (with HTTPS).

9) Storage period and deletion

We only store personal data for as long as this is necessary for the respective purposes. Unless statutory retention obligations prevent this, the following deadlines apply in particular:

  • Account and organization data: until the account is deleted; thereafter, deletion/anonymization usually takes place within 30 days (longer storage if legally required).
  • Workspace/property configurations: until deletion by the organization or until account deletion; thereafter, deletion usually takes place within 30 days.
  • Invitations: until acceptance or expiry; thereafter, deletion usually takes place within 90 days.
  • OAuth Access Tokens: only briefly in the active session (typically minutes/hours).
  • OAuth Refresh Tokens (if available): until revocation by the user, expiry or account deletion; thereafter, deletion usually takes place within 30 days.
  • OAuth Login Transfers (short-lived): a few seconds/minutes; automatic cleanup after 24 hours at the latest.
  • Server logs/security logs: usually 14 days, unless required for longer to investigate a security incident.
  • Support/feedback communication: usually up to 24 months (or shorter if the purpose ceases earlier), possibly longer in the event of legal obligations to provide evidence.
  • Backups: Backups can still contain data for up to 35 days; these are overwritten/deleted on a regular basis.

9.1 Account deletion / deletion requests

You can delete your account and/or your data:

apply. We process deletion requests usually within 30 days, unless there are any legal obligations to the contrary.

10) Data security

We use appropriate technical and organizational measures, including:

  • Encryption of sensitive data and tokens “at rest”
  • HTTPS transport encryption
  • role-based authorization and access concept
  • Hardening of the session and cookie configuration

11) Rights of data subjects

Data subjects have in particular the right to:

  • Information
  • Correction
  • Deletion
  • Restriction of processing
  • Data portability
  • Objection to the processing
  • Revocation of granted consents
  • Complaint to a data protection supervisory authority

Requests can be sent to info@webmasterei-prange.de.

12) Google OAuth / Google API Usage

12.1 Revocation of Google access

Users can revoke the app’s access to their Google account at any time in the settings of their Google account (third-party access).

12.2 No impermissible uses (clarification)

We use Google user data exclusively to provide and improve the functions requested by users (GA4 analysis, quality checks).

In particular, the following applies:

  • We do not sell Google user data.
  • We do not use data from Google APIs (in particular GA4/BigQuery query data and OAuth tokens) for advertising/marketing, profiling, data broker purposes or credit scoring.
  • We do not use Google user data to train AI/ML models.

We send system and service-related e-mails (e.g. invitations, security-relevant information), if necessary, to the contact address you used to use the app.

If we send you information about our own similar products or services as an existing customer, this will only be done to the extent permitted by law (e.g. Section 7 para. 3 UWG) and with the possibility of objecting/unsubscribing at any time. We only use the e-mail address as a contact address for this; content/results from GA4/BigQuery queries or OAuth tokens are not used for this or transmitted to e-mail/marketing services.

12.3 Google API Services User Data Policy – Limited Use

Our use and transfer of information that we receive from Google APIs is in accordance with the Google API Services User Data Policy, including the requirements for Limited Use.

13) Changes to this privacy policy

We reserve the right to adapt this privacy policy to reflect legal, technical or organizational changes.