Security and your data

What happens to my website's data during the live scan?

What the scanner does while visiting your site, what it never touches (logins, forms, transactions), what ends up in the report, and how the scan coexists with anti-bot protections.

2 min read

The live scan is the part of the audit where our scanner visits your website - so we describe honestly what exactly it does, what it stores and what it never touches.

What the scanner does

The scanner opens the publicly accessible pages of your website in a real browser (technically: a headless browser - a full browser engine driven programmatically) and observes what happens on the measurement side:

whether the GA4 tag loads and which property it sends data to (measurement ID verification),
whether events are sent twice (e.g. GTM + gtag simultaneously),
how the implementation responds to consent: the scanner simulates a decision in the cookie banner and checks Consent Mode behavior before and after consent,
whether personal data appears in measurement calls, e.g. email addresses in URLs (see: Do you detect personal data (PII)?).

What the scanner does NOT do

it does not log in to any panels or client areas,
it does not fill out or submit forms,
it does not click transactional buttons - no adding to cart, no placing orders, no initiating payments,
it changes and stores nothing on your site's side - the visit is passive, like any other anonymous user's visit,
it does not bypass protections: pages behind logins or passwords stay out of the scan's reach.

What we store from this visit

The report receives technical findings, not a copy of your website: tag detection status, detected measurement IDs, duplication signals, Consent Mode behavior, PII risk signals. We don't archive your website's content.

Will the scanner's visit skew my statistics

A single, short visit is statistically invisible at the scale of GA4 data. The scanner sends no events of its own to GA4 - it only triggers what your site already sends on every visit, so it adds roughly as much to your data as a single visitor.

The scanner vs. your anti-bot protections

The scanner visits the site like a regular browser. If your website uses aggressive anti-bot protections (WAF, Cloudflare challenges etc.), the scan may be blocked - the API-based GA4 configuration audit completes regardless, but site-verified checkpoints may receive an "N/A" status with a note that verification wasn't possible. See: The scanner can't see my GA4 tag even though it's installed.

Related articles:

More in Security and your data

Didn't find your answer?

Write to us - we respond fast, implementation questions included.

Write to us