swapps analytics

← back home

Privacy policy

Last updated: 2026-06-18

Who we are

Swapps Analytics ("the service") is operated by Swapps ("we", "us"). The service helps website owners review their own Google Analytics, Tag Manager and Search Console data in one place.

Contact for privacy matters: privacy@swapps.com.

Data we collect

When you sign in with Google we receive your Google account identifier (sub), email address, display name and profile picture URL through the openid email profile scopes. We also receive OAuth access and refresh tokens scoped strictly to:

  • https://www.googleapis.com/auth/analytics.readonly
  • https://www.googleapis.com/auth/webmasters.readonly
  • https://www.googleapis.com/auth/tagmanager.readonly

When you complete your profile we collect the full name,company name, job title andphone number (optional) you enter. When you register a site we store the domain you provide and the identifiers of the GA4 property, GTM container and Search Console site you choose to link.

When you generate an analysis we call the Google APIs on your behalf, receive metrics (sessions, users, conversions, clicks, impressions, queries, pages, etc.) for the date range you select, and store a snapshot of the response together with the structured recommendations produced by an AI model. Comments you leave on a recommendation, and replies generated by the AI helper, are stored as part of that recommendation's thread.

How we use Google user data

We only use Google user data to provide the features described on this page: listing your accessible accounts, fetching the metrics you ask us to render, and producing the AI-generated recommendations you see in your dashboard. We do not use Google user data for advertising. We do not sell or share Google user data with third parties.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Where data is stored

  • Cloudflare D1 (Postgres-compatible SQLite, hosted in Cloudflare's network): user records, organisations, site configurations, analysis snapshots, recommendations and comments.
  • Cloudflare KV: HMAC-signed session identifiers (14 day TTL), encrypted Google access-token cache, short-lived OAuth state.
  • Cloudflare Workers AI: prompts containing your snapshot data are sent to a Llama-family model hosted by Cloudflare to produce the recommendations and chat replies you see. Cloudflare's Workers AI does not retain prompts for training.

Refresh tokens are encrypted with AES-GCM before being written to storage. Session cookies are HTTP-only, secure and HMAC-signed.

Sharing

Other members of the organisations you belong to can see the sites registered in that organisation and any analyses or recommendations generated for those sites. They cannot see your Google grant or any sites you have registered in a different organisation. We do not share your data with any other third party.

Retention

Account data is retained until you delete your account. Analyses and recommendations are retained until you delete the site they belong to, or your account. You may request deletion of any specific item or of your entire account by emailing privacy@swapps.com.

Revoking access

You can revoke our access to your Google account at any time at myaccount.google.com/permissions. Doing so will prevent future API calls; previously stored snapshots and recommendations remain in your account until you delete them.

Children

webanalytics is not directed to children under 13 and we do not knowingly collect personal data from children.

Changes

We may update this policy from time to time. Material changes will be announced via the service.