When connecting your Google account, you'll see a consent screen listing the requested permissions. It's worth understanding exactly what we ask for - and, just as importantly, what we don't.
Two scopes, both read-only
Technically, we request two Google API permission scopes:
`analytics.readonly` - reading Google Analytics data and configuration.
This is the core scope of the audit. It lets us read your property's configuration (administrative settings, data streams, key events, attribution, integrations) and the reporting data needed for the checkpoints (e.g. whether the purchase event records continuously, whether transactions have unique identifiers, whether any channel converts at zero).
`analytics.manage.users.readonly` - reading the property's user list.
It lets us read who has access to your GA4 property and with what role - again, read-only. We cannot add anyone, remove anyone or change anyone's permissions.
On the wizard screen these scopes are described in benefit language as three items: "View your Google Analytics data", "List your GA4 properties" and "Read property settings" - all of them boil down to the two scopes above.
Why this matters: read-only is a technical property, not a promise
The key point: both scopes are read-only by definition on Google's side. This means that even if we wanted to change something in your configuration (we don't), the Google API would technically refuse - a write request would be rejected at the level of Google's infrastructure before it ever touched your data. The safety of your configuration therefore doesn't depend on our declaration, but on the architecture of the access itself.
For comparison: many analytics tools request the analytics.edit scope, which allows configuration changes. We deliberately don't - an audit is by nature an examination, not an intervention.
What we do NOT ask for
How long the access lasts
The consent remains valid until you revoke it. The session token we use during an audit expires after about an hour - which is why, returning after a longer break, you may be asked to reconnect (see: "Your GA4 connection session has expired"). You can revoke access at any time: How do I revoke GA4audit's access to my Google account?
Compliance with Google's policies
GA4audit's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements: we use the data solely to generate your report; we don't sell it, share it with third parties, use it for advertising or to train AI models. Full details: Privacy Policy.
Related articles: