Privacy Policy

Last updated: April 14, 2026

1. Who We Are

TrackCheck ("we", "our", or "us") provides an analytics governance platform that helps product and data teams design tracking plans, validate GA4 events against their intended implementation, and reduce tracking errors. Our platform is accessible at app.trackcheck.io and via our Chrome browser extension.

Questions or concerns? Contact us at hello@trackcheck.io.

2. Google API Services & Limited Use Policy

TrackCheck's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, TrackCheck:

  • Only uses data obtained from Google APIs to provide or improve the TrackCheck service that is described to users when they authorize access.
  • Does not use Google user data for serving advertisements or for any purpose unrelated to the TrackCheck analytics governance service.
  • Does not allow humans to read Google user data unless the user has explicitly granted permission, doing so is necessary for security purposes, or it is required by law.
  • Does not sell Google user data to third parties.
  • Does not transfer Google user data to other parties, except as necessary to provide or improve the service, comply with applicable law, or as part of a merger, acquisition, or sale of assets.

3. Google Analytics 4 (GA4) Access — Detailed Disclosure

TrackCheck's GA4 integration uses one OAuth scope: https://www.googleapis.com/auth/analytics.readonly. This is a restricted scope granted by Google. Below is a full disclosure of what we access, what we do not access, and why.

What data we access

  • GA4 property list: The names and numeric IDs of the GA4 properties linked to your Google account (e.g., "My Website — GA4", property ID 123456789). This is used to let you select which property to connect.
  • Event names: The names of events that have fired in your selected GA4 property in the last 30 days (e.g., page_view, purchase, add_to_cart). This is used to compare against your TrackCheck event registry to identify missing or misconfigured events.
  • Event counts: The aggregate number of times each event fired in the last 30 days (e.g., "page_view: 12,450"). This is an aggregated, non-user-level metric. No individual user sessions or identities are included.

What data we do NOT access

  • User PII: No user IDs, email addresses, session IDs, IP addresses, device identifiers, or any personally identifiable information from your GA4 property.
  • Raw user-level events: No individual user sessions or event-level records — only aggregated counts by event name.
  • Revenue or eCommerce data: No purchase amounts, product prices, or transaction IDs.
  • Advertising data: No ad performance, campaign data, or click identifiers.
  • Custom dimensions containing PII: We request only event names and counts. No custom dimensions, user properties, or user-scoped data are retrieved.
  • Write access: We do not create, modify, or delete any GA4 events, properties, data streams, or configuration.

Why we need this access

TrackCheck's core purpose is to verify that events defined in your tracking plan are actually firing in your analytics property. Without read-only access to your GA4 event names and counts, the platform cannot compare your planned events against what is live — which is the fundamental value of the product. There is no less-privileged scope that provides this capability.

Revoking GA4 access

You can revoke TrackCheck's access to your GA4 data at any time by:

  1. Visiting your Google Account → Security → Third-party apps with account access
  2. Finding "TrackCheck" in the list
  3. Clicking "Remove access"

Revoking access will immediately invalidate your stored GA4 tokens. You can also disconnect from within the TrackCheck portal: navigate to your project settings and click "Disconnect GA4". All stored GA4 tokens and synced event data can be deleted upon request (see Section 7).

4. Information We Collect

We collect the following categories of information:

  • Account information: Name, email address, and organization name — collected when you create an account via Google OAuth or email sign-up.
  • Project data: Tracking plans, event definitions, flow configurations, and parameter schemas you create within the platform.
  • GA4 sync data: Event names and counts fetched from your connected GA4 property (see Section 3). Stored in your organization's isolated data partition.
  • OAuth tokens: Google OAuth access tokens and refresh tokens, encrypted at rest using AES-256-CBC before storage. These are used to refresh your GA4 connection without requiring repeated login.
  • Usage data: Technical logs including page views, API request counts, and error events — used to maintain service reliability. Logs do not contain GA4 data.
  • Chrome extension data: Event scan results from pages you actively scan using the TrackCheck Chrome extension. Scan results are transmitted to and stored in your TrackCheck project.

5. Data Storage & Security

  • Database: All data is stored in Supabase (PostgreSQL), hosted on infrastructure with SOC 2 Type II certification. Data is encrypted at rest and in transit (TLS 1.2+).
  • Organization isolation: Every row in our database is protected by Row-Level Security (RLS) policies. Your organization's data is never accessible to users from other organizations, even under the same database.
  • OAuth token encryption: Google OAuth access and refresh tokens are encrypted using AES-256-CBC with a unique initialization vector before being written to the database. The encryption key is stored separately in a secrets manager and never in the database.
  • No third-party data sharing: We do not sell, share, or transfer your data — including any GA4 data — to third parties for any commercial purpose.
  • Data retention: GA4 sync data is retained as long as your project exists. You may delete your project or request data deletion at any time (see Section 7).

6. How We Use Your Data

We use the data we collect exclusively to:

  • Provide and operate the TrackCheck analytics governance service, including event validation, tracking plan management, and GA4 sync comparisons.
  • Send transactional communications: invitation emails, alert notifications, and scan reports.
  • Diagnose errors and maintain service reliability (technical logs only — no GA4 data used for diagnostics).
  • Improve the platform based on aggregated usage patterns (never based on individual GA4 event data).

We do not use your data for advertising. We do not build advertising profiles, retarget users, or share data with advertising networks.

7. Your Rights & Data Deletion

You have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request corrections to inaccurate or incomplete personal data.
  • Deletion: Request deletion of your account and all associated data, including GA4 tokens and synced event data. We will complete deletion within 30 days.
  • Revocation: Revoke GA4 access at any time via your Google account (see Section 3) or from within the TrackCheck portal.
  • Portability: Request an export of your project data (tracking plans, event definitions) in JSON format.

To exercise any of these rights, email hello@trackcheck.io with the subject line "Data Request — [Your Name]".

8. Third-Party Services

TrackCheck uses the following third-party services to operate the platform. Each link leads to their respective privacy policy.

  • Supabase — Database and authentication infrastructure
  • Vercel — Application hosting and edge network
  • Google — OAuth authentication and GA4 API access

We do not use third-party analytics, advertising pixels, or session recording tools on the TrackCheck platform.

9. Children's Privacy

TrackCheck is a B2B tool intended for business users. We do not knowingly collect personal data from anyone under the age of 16. If we learn that we have inadvertently collected data from a minor, we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to account holders at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of TrackCheck after changes constitutes acceptance of the revised policy.

11. Contact Us

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us:

For questions specifically about Google data access or the Limited Use policy, please include "Google Data Inquiry" in your email subject line.

See also: Terms of Service