Privacy Policy

Last updated: 2026-05-11

This Privacy Policy explains how GA Lite ("we", "us") collects, uses, and protects information when you use our multi-site analytics Service.

1. Information We Collect

Account information. Email address, display name, profile picture URL (from Google sign-in or password registration), and any optional profile data you provide.

Connected-account information. When you connect a Google account via OAuth, we receive an access token and a refresh token, plus basic profile information (email, display name, picture). Tokens are encrypted server-side with AES-GCM and are never transmitted to your browser. We use these tokens strictly to call the Google Analytics 4 Data API on your behalf.

Project & site configuration. Site names, URLs, logos, descriptions, visibility settings, and the GA4 property identifiers you choose to attach. These are stored in our database for as long as your account is active.

Analytics query results. When you view a dashboard or invoke an MCP tool, we fetch metrics from GA4 and cache the results briefly (typically up to 60 seconds) to reduce upstream API load. We do not store long-term snapshots of your analytics data.

Usage & technical data. IP address, browser/user-agent, approximate region, device fingerprint, and standard server logs. We use this data to prevent abuse, fight fraud, and maintain reliability.

Payment data. When you upgrade, our payment partners collect billing details directly. We receive a transaction reference and status — we do not store full card numbers on our servers.

2. How We Use Information

We use the information to: operate and improve the Service; authenticate you and authorize API calls; render your dashboards and respond to MCP queries you initiate; process payments and subscriptions; detect, prevent, and respond to abuse, fraud, and security incidents; comply with legal obligations; and send service-related communications. We do not sell your personal information.

3. Sharing

We share information only with:

• (a) infrastructure providers (hosting, edge network, database) acting as our processors
• (b) Google strictly to fulfill the GA4 query you submitted (we pass your token forward; Google's own privacy policy applies to their handling)
• (c) payment processors strictly to complete your transaction
• (d) analytics providers in aggregated or pseudonymized form
• (e) law enforcement or other parties when required by valid legal process

4. Data Retention

Account data and connected-account metadata are retained for as long as your account is active. Encrypted OAuth tokens are kept until you revoke the connection or delete the account. Cached analytics responses live for the cache TTL only (typically 60 seconds) and are then evicted. Server logs are retained for up to 90 days for security and abuse-prevention purposes. Upon account deletion, we erase or anonymize personal data and revoke any active tokens within a reasonable time, except where retention is required by law.

5. Your Rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete the personal data we hold about you, to disconnect any connected Google account at any time from the Integrations page, to object to or restrict certain processing, or to withdraw consent. To exercise any right beyond the in-product controls, email support@galite.io. We respond within the timeframe required by applicable law.

6. Children

The Service is not directed to anyone under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has used the Service, contact support@galite.io so we can remove the account.

7. International Transfers

We operate globally and may process your data in jurisdictions other than your own. Where required, we rely on adequacy decisions, standard contractual clauses, or your explicit consent as the legal basis for transfer.

8. Security

We implement technical and organizational measures designed to protect your data against unauthorized access, alteration, disclosure, and loss. OAuth tokens are encrypted with AES-GCM before being persisted. No system is perfectly secure; if you suspect a breach, contact support@galite.io immediately.

9. Cookies & Similar Technologies

We use cookies and similar storage to maintain your session, remember preferences, and gather anonymized usage statistics. You can control cookies through your browser settings; disabling them may impair Service functionality.

10. Changes to This Policy

We may update this Privacy Policy from time to time. The effective date at the top of this page reflects the most recent revision.

11. Contact

Questions about this policy can be sent to support@galite.io.