Security

Your data stays yours

DataCanary is built on read-only access, minimal data storage, and encryption at every layer. Here's exactly how it works.

Access model
🔒

Read-only OAuth

DataCanary connects via Google OAuth using the analytics.readonly scope only. We cannot make any changes to your GA4 property, your account settings, or your Google account.

Google verified

DataCanary has passed Google's OAuth app verification process for sensitive scopes. Our use of the Analytics read-only scope has been reviewed and approved by Google.

🚫

No write access

We request no scopes that would allow writing, editing, or deleting anything in your Google account. You can verify this on the Google permissions screen when you connect.

What we access vs. what we store
Data type Accessed Stored Detail
Raw event records No No The GA4 Data API only returns aggregated data — individual hit-level records are never accessible via the API
Event counts & aggregates Yes Yes We only store a simple count of recent data
Parameter names Yes Yes Parameter presence tracked, not values
OAuth tokens Yes Encrypted at rest with AES-256-GCM
Your email address Yes Used to send alerts and summary emails
Encryption & infrastructure
🔑

AES-256-GCM encryption

Your OAuth tokens are encrypted at rest using AES-256-GCM before being written to the database.

🌍

EU data storage

Your data is stored in Supabase with servers located in the EU. DataCanary is operated from Ireland and is subject to GDPR.

🛡️

Row-level security

Database access is enforced at the row level. No user can query another user's property data, check results, or issues — even with a valid session.

Google OAuth verification

Verified for sensitive scopes

DataCanary has completed Google's OAuth verification process for sensitive scopes, including analytics.readonly, userinfo.email, and userinfo.profile. Our app is in Production status — not testing mode. This means Google has reviewed our data usage and privacy practices before approving access.

Summary
  • Read-only GA4 access — we cannot modify anything in your account
  • Google-verified OAuth app, sensitive scopes approved and in Production status
  • The GA4 Data API only returns aggregated data — individual hit-level records are never accessible
  • OAuth tokens encrypted at rest with AES-256-GCM
  • Data stored in EU via Supabase
  • Row-level security — your data is isolated from all other users

Ready to start monitoring?

Free to use. Set up in 2 minutes. No credit card required.

Monitor my GA4 for free