Privacy Policy

ALERTIS is an early-warning SaaS for marketers and business owners. We collect Google Analytics 4 metrics, detect anomalies, and send alerts to Telegram or email.

Data controller: Sole Proprietor Ivanchenko O., Ukraine. Privacy contact: [email protected].

We collect the minimum needed to operate the service:

Account data: your email, name (optional), company name, timezone, interface language.

Authentication data: if you sign in with Google — we receive only your email and basic profile (name, avatar). We never see your password.

GA4 access token: the read-only OAuth token you grant to ALERTIS. Stored encrypted. Revocable in Google in 5 seconds.

GA4 metrics: aggregated numbers (sessions, users, conversions, CR, bounce rate, AI traffic) sliced by date, channel, campaign, device, country. We do not receive any personal data of your site visitors.

Telegram chat_id: if you connected the bot, we store the chat ID to send alerts.

Payment data: processed by Stripe. We see only the last 4 digits of the card, type, country. Full card details are not in our database.

Technical data: IP, user-agent, actions in the interface (for security and debugging). Stored up to 90 days.

Account and authentication data — so you can log in and receive personalized reports.

GA4 metrics — to compare against your individual baseline and detect anomalies. That's the product.

Telegram chat_id — to send alerts where you asked us to.

Payment data — for invoicing and accounting.

Technical data — for security (detecting brute-force attempts, blocking attacks) and debugging.

We process your data on the following lawful bases:

Performance of contract (Article 6(1)(b) GDPR) — without the data we cannot provide the service.

Consent (Article 6(1)(a) GDPR) — for some optional features (e.g., niche benchmarks).

Legitimate interest (Article 6(1)(f) GDPR) — for service security and fraud prevention.

Legal obligations — e.g., retention of tax records.

To operate the service, we use the following third-party services. All have their own privacy policies and are GDPR-compliant:

Supabase (database, data hosting, AWS US/EU) — storage of account data and aggregated metrics.

Railway (backend hosting, US/EU) — servers that read GA4 and send alerts.

Stripe (payments, US) — subscriptions and receipts.

Resend / SendGrid (email delivery) — weekly/monthly email reports.

Telegram (LLC, UAE) — message delivery via the bot API. Telegram does not access GA4 metrics beyond what we put in the alert text.

OpenAI / Anthropic (AI analysis, US) — for generating textual explanations of anomalies. We send only aggregated numbers without identifiers. You can enable BYOK mode (your own API key) — then requests go directly from you.

Google Analytics 4 (Google LLC) — the source of your data. We only read, never modify.

We never sell your data to third parties. We never share it with ad networks.

Account data — while your account exists + 30 days after deletion (recovery window).

GA4 metrics — while the subscription is active. On GA4 disconnect — wiped within 14 days.

Access logs — 90 days.

Payment records — 7 years (tax law requirement).

You have the right to:

Receive a copy of all data we hold about you (CSV/JSON export via account settings).

Correct inaccurate data.

Delete your account and all related data. One click in settings. We process the request within 14 days.

Restrict processing — e.g., pause analytics without deleting the account.

Port data to another service (data portability).

Withdraw consent at any time.

Lodge a complaint with the data protection authority of Ukraine or your country.

To exercise a right — write to [email protected], we respond within 30 days.

Encryption at rest — AES-256.

Encryption in transit — TLS 1.3.

GA4 tokens stored encrypted in a separate vault.

Two-factor authentication available for all accounts.

We regularly update dependencies and monitor vulnerabilities. If you found one — write to [email protected], we appreciate it.

We use only functional cookies needed to run the service: authentication, locale switcher, theme.

No analytics or advertising cookies on alertis.app.

The app (app.alertis.app) uses minimal cookies for session handling.

Some sub-processors are located in the US (Stripe, OpenAI). Data transfers happen under European Commission Standard Contractual Clauses (SCC).

We do not transfer data to countries lacking an adequate level of protection without additional safeguards.

The service is not intended for persons under 16. If we learn we collected a minor's data without guardian consent — we erase it.

If we make material changes — we'll notify you by email and in the interface 14 days in advance. Minor edits (wording, typos) we may make without notice.