Where: infrastructure and region
GA4audit data - user accounts and audit reports - is stored on Google Firebase / Google Cloud infrastructure in a European Union region. This means your data is covered by European protection standards (GDPR) down to the physical location of the servers.
The security layers:
For how long: retention rules
Audit reports - stored until you delete them yourself. They have no expiry date: the audit history is a core value of the project (the Quality score trend), so shortening it is entirely your call. You can delete an individual report in the project history (How do I delete a report from history?).
The account and all data - deleting the account in profile settings removes the account, all audit reports and disconnects all GA4 properties. Data is erased right away, at the moment of the operation (the Privacy Policy reserves up to 30 days for this). The operation is irreversible - there is no grace period during which it can be undone.
Data read from GA4 during the audit - the report stores checkpoint results together with their evidence, e.g. "0 duplicate transaction_ids" or data stream names. We don't create a copy of your GA4 property - we store the examination's findings, not a raw database.
Technical logs - kept to the extent necessary for the operation and security of the service.
A report vs. a "live" GA4 connection
Worth understanding: a report is a snapshot stored on your account - it remains available even after you revoke our Google access. Elements read live (e.g. the current state of data streams), on the other hand, require an active connection. Revoking access therefore deletes no reports: How do I revoke GA4audit's access to my Google account?
Related articles: