SecurityHow Tracking Auditor handles your data
A tool that audits tracking compliance has to hold itself to the same standard. This page describes how access and data are handled, in the same plain terms we use in audit reports. The full legal detail is in the privacy policy.
Read-only access, verified by Google
Tracking Auditor requests read-only OAuth scopes for Google Tag Manager and Google Analytics, plus create-file-only access to Google Drive for report exports. The scopes are verified by Google's OAuth review process. The tool cannot modify your container, your property, or any existing file in your Drive.
No server-side token storage
Your Google OAuth token lives in an encrypted, HttpOnly session cookie in your browser for the duration of your session. It is not stored on our servers. Revoking access takes effect immediately and can be done at any time from your Google account's permissions page.
Minimal data retention
Completed audit reports are stored so you can revisit them: scores, findings text, and the configuration item names referenced in findings. Raw GTM container exports and full GA4 traffic data are not retained after the audit runs. You can delete your audit history at any time.
Encrypted transport and security headers
All traffic is encrypted with HTTPS/TLS. The application ships baseline security headers including HTTP Strict Transport Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy and Permissions-Policy.
Disclosed subprocessors
Every third-party service that touches data is named in the privacy policy: Anthropic (report generation), Vercel (hosting), Clerk (authentication), Stripe (payments) and Neon (database). Report generation sends configuration summaries and aggregate metrics, not your visitors' personal data.
Google API Limited Use compliance
Use of Google API data adheres to the Google API Services User Data Policy, including the Limited Use requirements: data is used only to provide the audit you requested, is never sold, and is never used for advertising.
Reporting a vulnerability
If you find a security issue, email privacy@trackingauditor.io and we will respond promptly. Please include enough detail to reproduce the issue.
Questions from your security review?
If your agency or company runs vendor onboarding checks and needs more detail than this page provides, email us and we will answer directly.
Contact us