Privacy Policy
Last updated: 1 June 2026
1. Who we are
Tracking Auditor is operated by Mithul Mistry, trading as Tracking Auditor (“we”, “us”, “our”). We provide a web-based analytics tracking audit service accessible at trackingauditor.io.
If you have questions about this policy, contact us at: privacy@trackingauditor.io
2. What data we access and why
Tracking Auditor connects to your Google account using OAuth 2.0. We request the following permissions and use them solely to generate your tracking audit report:
| Permission | Why we need it |
|---|---|
| Google account identity (email, profile) | To identify your session and display your account email in the interface. |
| Google Tag Manager (read-only) | To fetch your GTM container configuration — tags, triggers, variables, and consent settings — for analysis. |
| Google Analytics (read-only) | To fetch your GA4 property configuration and run data quality checks against your traffic data from the last 30 days. |
| Google Drive (create files only) | To save your audit report to your own Google Drive as a Google Doc and Google Sheet. We only create new files — we cannot read, modify, or delete any existing files. |
| Google Ads (read-only, optional) | To fetch your conversion actions, campaign bidding strategies, and auto-tagging status for the Ads section of the audit. Only requested if you choose to include Google Ads in your audit. |
We access only the minimum data necessary to generate your audit. We do not access, read, or store any other data from your Google account.
3. Google API Services — limited use disclosure
Tracking Auditor’s use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use Google API data only to provide the tracking audit service you have requested.
- We do not sell your Google API data to third parties.
- We do not use your Google API data for advertising or to build advertising profiles.
- We do not allow humans to read your Google API data except where required by law, necessary for security, or with your explicit consent for support purposes.
- We do not transfer your Google API data to other apps or services except as described in section 5 (Anthropic, for AI-generated findings).
4. How your data is used
Data accessed through your Google account is used exclusively to:
- Analyse your GTM container, GA4 property, and Google Ads account for tracking quality issues
- Generate scored findings across consent architecture, data quality, GTM governance, event quality, and conversion integrity
- Produce a written audit report and action plan exported to your Google Drive
We do not use your data for any other purpose.
5. Third-party services
Tracking Auditor uses the following third-party services to deliver the product:
Anthropic (Claude AI)
We send a structured summary of your audit data to Anthropic’s Claude API to generate the written findings, recommendations, and action plan in your report. This summary contains anonymised configuration data (tag names, event names, scores) — it does not contain personally identifiable information from your analytics data (such as visitor data, user IDs, or transaction details).
Anthropic’s privacy policy: anthropic.com/privacy
Vercel
This application is hosted on Vercel. Vercel may process request metadata (IP addresses, request logs) as part of hosting infrastructure. Vercel’s privacy policy: vercel.com/legal/privacy-policy
Google APIs
This application uses Google APIs to access your GTM, GA4, Google Drive, and optionally Google Ads data. Use of Google services is subject to Google’s Privacy Policy.
6. Data storage and retention
We store the minimum data necessary to operate the service:
- OAuth tokens: Stored in an encrypted session cookie in your browser for the duration of your session. Tokens are used to make API calls on your behalf and are not retained on our servers beyond the active session.
- Audit results: If you have an account, past audit reports are stored to allow you to revisit them. You can delete your audit history at any time from your account settings.
- Google Drive files: Exported reports are saved to your own Google Drive — we do not retain a copy.
We do not retain GA4 event data, GTM container contents, or Google Ads data after your session ends.
7. Your rights (UK GDPR / GDPR)
If you are in the UK or European Economic Area, you have the following rights regarding your personal data:
- Access: Request a copy of the data we hold about you.
- Erasure: Request deletion of your account and associated data.
- Portability: Request your data in a machine-readable format.
- Objection: Object to processing of your data.
- Withdraw consent: Revoke Google account access at any time via myaccount.google.com/permissions.
To exercise any of these rights, contact us at privacy@trackingauditor.io. We will respond within 30 days.
8. Cookies
We use a single session cookie to maintain your authenticated state. This cookie is:
- Strictly necessary for the service to function
- HttpOnly and Secure — not accessible to JavaScript
- Not used for advertising or tracking
We do not use third-party analytics cookies or advertising cookies on this site.
9. Security
All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. OAuth tokens are stored in secure, HttpOnly cookies. We do not store Google API credentials on our servers.
If you become aware of a security vulnerability, please report it to privacy@trackingauditor.io.
10. Changes to this policy
We may update this policy from time to time. When we do, we will update the “Last updated” date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.