Security and your data

Where and for how long are my reports stored?

Firebase / Google Cloud infrastructure in an EU region, the security layers and retention rules: reports until you delete them, account erasure immediate and irreversible.

2 min read

Where: infrastructure and region

GA4audit data - user accounts and audit reports - is stored on Google Firebase / Google Cloud infrastructure in a European Union region. This means your data is covered by European protection standards (GDPR) down to the physical location of the servers.

The security layers:

encrypted transmission - all communication runs over HTTPS,
database-level access rules - each user can access only their own projects and reports; the isolation is enforced at the database level, not just in the interface,
Firebase App Check (reCAPTCHA Enterprise) - API protection against unauthorized clients and bots.

For how long: retention rules

Audit reports - stored until you delete them yourself. They have no expiry date: the audit history is a core value of the project (the Quality score trend), so shortening it is entirely your call. You can delete an individual report in the project history (How do I delete a report from history?).

The account and all data - deleting the account in profile settings removes the account, all audit reports and disconnects all GA4 properties. Data is erased right away, at the moment of the operation (the Privacy Policy reserves up to 30 days for this). The operation is irreversible - there is no grace period during which it can be undone.

Data read from GA4 during the audit - the report stores checkpoint results together with their evidence, e.g. "0 duplicate transaction_ids" or data stream names. We don't create a copy of your GA4 property - we store the examination's findings, not a raw database.

Technical logs - kept to the extent necessary for the operation and security of the service.

A report vs. a "live" GA4 connection

Worth understanding: a report is a snapshot stored on your account - it remains available even after you revoke our Google access. Elements read live (e.g. the current state of data streams), on the other hand, require an active connection. Revoking access therefore deletes no reports: How do I revoke GA4audit's access to my Google account?

Related articles:

More in Security and your data

Didn't find your answer?

Write to us - we respond fast, implementation questions included.

Write to us