Privacy Policy

Overview

TrackStars GA4 Auditor is a read-only diagnostic tool. After you authorize the application via Google OAuth 2.0, it retrieves your Google Analytics 4 property configuration and event data solely to render an audit report within your browser session. No Google Analytics data is ever transmitted to, processed by, or stored on any Trackstars server or third-party infrastructure. All data handling occurs exclusively client-side, within your browser, and ceases entirely when you close or navigate away from the application.

Data Accessed

TrackStars GA4 Auditor requests only the minimum OAuth scopes necessary to perform an audit. The following Google API scopes may be requested:

• analytics.readonly — Read-only access to Google Analytics reports and property configuration.

• analytics.edit (if applicable) — Access to GA4 property settings for configuration audit purposes only; no modifications are made.

We do not request, access, or use any Google user data beyond what is strictly required to display the audit results. We do not access Gmail, Drive, Calendar, or any other Google service.

Data Protection Mechanisms

Although TrackStars GA4 Auditor does not store sensitive data, we have implemented the following technical and organizational safeguards to protect any data that passes through the application:

• Encryption in Transit (TLS 1.2+): All communication between your browser and the Google APIs is conducted exclusively over HTTPS using Transport Layer Security (TLS 1.2 or higher). Data is encrypted end-to-end during transmission and is never sent over unencrypted channels.

• No Persistent Storage: TrackStars GA4 Auditor does not write Google Analytics data to any database, file system, cloud storage bucket, or third-party service. Data retrieved from the Google Analytics API is held exclusively in volatile browser memory (JavaScript heap) for the duration of your session and is permanently discarded when the session ends.

• No Server-Side Processing: Google Analytics data is fetched directly from Google's APIs by your browser and rendered client-side. It does not pass through or reside on any Trackstars backend server, proxy, or intermediary infrastructure.

• OAuth 2.0 with Minimal Scopes (Principle of Least Privilege): Authorization is handled entirely through Google's OAuth 2.0 framework. We request only the narrowest scopes required for audit functionality. We never ask for write access to Analytics data, and we never request access to other Google services.

• Token Handling: OAuth access tokens and refresh tokens issued by Google are not stored on our servers. Tokens may be temporarily held in your browser's session storage for the duration of the authorized session and are not persisted to cookies or local storage beyond what is necessary for the active session.

• No Third-Party Data Sharing: Google Analytics data accessed by TrackStars GA4 Auditor is never shared with, sold to, or disclosed to any third party. It is used solely to render the audit interface for your benefit.

• Access Controls: The application only processes data belonging to the Google Analytics properties you explicitly authorize during the OAuth consent flow. No cross-account or cross-property data access occurs.

Sensitive Data

Google Analytics 4 properties may contain data derived from user behavior that could be considered sensitive in certain regulatory contexts (e.g., GDPR, CCPA). TrackStars GA4 Auditor treats all Google Analytics data as potentially sensitive and applies the following protections uniformly:

• Data is accessed in an aggregated, read-only context for audit and diagnostic purposes only.

• No individual-level, personally identifiable Google Analytics data (such as Client IDs or User IDs) is extracted, displayed, or retained by the application.

• All data is discarded at session end with no residual copies retained in any system.

Revoking Access

You may revoke TrackStars GA4 Auditor's access to your Google account at any time by visiting Google Account → Security → Third-party apps with account access and removing the application. Because we do not store your data, revocation immediately and completely terminates all access — there is no data to delete from our infrastructure.

Google API Services User Data Policy

TrackStars GA4 Auditor's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy , including the Limited Use requirements. We use Google user data only to provide and improve the TrackStars GA4 Auditor service, and for no other purpose.

Overview

TrackStars Dashboard is a Shopify application that connects to your Shopify-supported store to generate e-commerce performance dashboards and KPI metrics. The following describes how we handle information in connection with this application.

Information We Collect

When you install the App, we are automatically able to access certain types of information from your Shopify account:

• Merchant Information: We collect your contact information (such as your name, email address, and store domain) to communicate with you about your account and provide support.

• Store Metrics and Analytics: We access analytics, reports, and performance metrics to generate the dashboard visualizations.

• Order Information: We access information about orders (read_orders, read_all_orders, read_order_edits) to calculate KPIs like Total Sales and Average Order Value.

• Customer Information: We access customer records solely for the purpose of segmenting metrics, such as distinguishing between New and Returning Customer Sales, and calculating Cohort Lifetime Value (LTV).

• Customer Event Information: We access customer events and web pixel data to attribute sessions and evaluate traffic sources and referrers.

• Product Information: We access product catalogs to associate sales data with specific items where applicable.

How We Use Your Information

• Provide, operate, and maintain the TrackStars Dashboard.

• Calculate and display accurate store metrics (e.g., sessions, sales, cohort LTV, traffic sources).

• Provide customer support and communicate with you about updates or issues.

• Monitor and analyze app performance to improve our services.

Sharing Your Information

We do not sell, rent, or trade your data or your customers' data to third parties.

We may share your Personal Information to comply with applicable laws and regulations, to respond to a subpoena, search warrant or other lawful request for information we receive, or to otherwise protect our rights.

Data Retention and Deletion

We retain your merchant contact information for as long as you use the App. Because we do not persistently store your raw customer PII, there is minimal resident data on our infrastructure.

We are fully compliant with Shopify's mandatory privacy webhooks:

1. Customer Data Requests: If a customer requests access to their data, we will acknowledge the request. As we do not store customer PII natively, there is no data to export from our databases.
2. Customer Deletion Requests: If a customer requests the deletion of their data, we will immediately purge any temporary caches or session data associated with that customer.
3. App Uninstallation: If you uninstall the App, we will automatically delete your store credentials, cached data, and session tokens from our systems within 48 hours.