Data Handling

ALERTIS accesses your GA4 only via the official Google OAuth with the analytics.readonly scope. This means:

We CAN READ metrics (sessions, conversions, channels, campaigns).

We CANNOT change GA4 settings, create/delete audiences, modify properties, or share your analytics with third parties.

Access can be revoked in Google → Security → Third-party apps → ALERTIS → Remove access. Takes 5 seconds.

Metrics we query:

sessions, totalUsers, newUsers — traffic volume.

conversions, sessionConversionRate — conversions and CR (for events you selected during onboarding).

bounceRate, averageSessionDuration, screenPageViewsPerSession — traffic quality.

Dimensions:

date, dayOfWeek — to compute the individual baseline.

sessionDefaultChannelGroup — channel grouping.

sessionCampaignName — to track specific campaigns.

sessionSource — to detect AI traffic (chatgpt.com, claude.ai, etc.).

deviceCategory, country — for anomaly detail.

What we DO NOT query: GA4 userID, ClientID, visitor IPs, demographic data. We get aggregated numbers only.

Initial backfill (one-time on connect): 90 days of history — to build the individual baseline immediately.

Daily collection: 01:00–05:00 UTC (adapted to your timezone) — for the previous full day.

Weekly collection: every Sunday at 23:00 UTC — for weekly report calculation.

Monthly collection: 1st of month at 02:00 UTC — for monthly summary.

Outside these windows, we do not access your GA4.

In PostgreSQL (Supabase, EU/US by your choice) we store:

Account data: email, name, company, timezone, language.

Settings: daily report time, days of week, active conversions, telegram chat_id.

GA4 OAuth refresh_token: AES-256 encrypted in a separate vault, inaccessible from the main API.

Aggregated metrics: rows of "date + channel + campaign + device + metric value". No visitor personal data.

Computed baselines: averages by day of week, standard deviations.

Alert log: what we sent, when, with what text.

On Pro and Agency plans we additionally connect to Google Ads API (scope adwords or analytics.readonly + ads.readonly).

We collect: spend, CPC, CPL, ROAS, impressions, CTR, campaign status.

Due to risks of sharing financial data via Telegram, spend details are NOT INCLUDED in plain telegram messages. The message has a "View details" button that opens a secured mini-app with auth.

To generate human-style anomaly explanations we use OpenAI GPT-4o Mini or Anthropic Claude Haiku.

What we send to the LLM: only aggregated numbers and channel/campaign names (e.g., "Paid Search Kyiv-Search: 0 conversions on 45 clicks, baseline 3").

What we DO NOT send: your email, name, visitor data, full account context.

BYOK mode (Bring Your Own Key): you can provide your own OpenAI/Anthropic API key — then requests go from your account, and we don't touch your data on the AI provider's side at all.

Neither OpenAI nor Anthropic use API requests to train their models (per their Enterprise/API terms).

At rest: AES-256 at the disk level (Supabase managed).

In transit: TLS 1.3 for all connections.

GA4 OAuth tokens: additional encryption layer with key stored in a KMS isolated from the main database.

Production database access: only two engineers, via MFA + SSH keys. Access logs retained.

Regular backups: daily (point-in-time recovery for 7 days).

While the subscription is active — full aggregated metrics retained.

On GA4 disconnect via the interface — we erase metrics within 14 days.

On account deletion — all personal and aggregated data is erased within 30 days. Only legally required records remain (payment records — 7 years).

System access log — 90 days.

Anytime via Settings → Data → Export you can get:

All aggregated metrics in CSV.

Account settings and conversion list in JSON.

Archive of all alerts and reports in PDF/CSV.

Export is prepared within 24 hours and sent to your email as a link valid for 7 days.

Partial: you can disable an individual conversion, disconnect GA4 (the corresponding data layer is wiped), or disable AI processing.

Full: account deletion in Settings → Delete account. Data wiped within 30 days. Confirmation sent to your email.

If you need to delete data urgently (e.g., after an incident) — write to [email protected], we process within 24 hours.

If we add a new sub-processor or significantly change the data we collect — we'll notify 14 days in advance via email and in the interface.

The current sub-processors list is always up to date on the /privacy page in section 5.

We don't start processing new types of data without an explicit update to this policy.