Privacy Policy

1. Controller and contact

Controller: Lukas Dienst, trading as DevBrew Development, Am Holzweg 11, 35789 Weilmünster, Germany.

General contact: kontakt@devbrew.dev. Privacy contact: kontakt@devbrew.dev.

2. Data categories we process

• Account and identity data such as name, email address, profile image, Google account identifiers, and session details.
• Encrypted Google provider tokens, token expiry data, and Google locale information needed to keep Search Console and Analytics access working.
• Google Search Console metrics such as clicks, impressions, CTR, position, queries, and page-level performance.
• Google Analytics 4 metrics such as sessions, users, new users, traffic-source breakdowns, landing pages, and other report inputs connected to the selected property.
• Crawl and website-audit data from publicly accessible pages, including broken links, missing metadata, and other technical findings.
• Workspace settings, report history, billing status, feature flags, and plan usage records.
• Support and feedback data, including message contents and the account details attached to the submission.
• Security and audit data such as IP address, user agent, admin/system log entries, and operational error details.
• Browser/device storage data, including authentication cookies, UI-state cookies, and local storage entries used for onboarding or pending actions.

3. Purposes and legal bases

• Provide the service, authenticate users, and generate requested reports: performance of a contract or steps taken before entering a contract.
• Automatically sync available Google properties after sign-in so the workspace can be configured: performance of a contract and our legitimate interest in reducing setup friction.
• Process subscriptions, receipts, cancellations, and plan enforcement: performance of a contract and legal obligations for tax/accounting records.
• Operate the report pipeline, including AI-assisted analysis of report context: performance of a contract.
• Handle support requests, feedback, and account communications: performance of a contract and our legitimate interest in user support.
• Prevent abuse, secure the service, investigate incidents, and maintain audit trails: legitimate interests in security, fraud prevention, and reliable operations.
• Measure website usage with Google Analytics 4 after you accept analytics cookies: consent.

4. Google API access and service behavior

When you sign in with Google, we request read-only access for Google Search Console and Google Analytics 4 plus basic identity scopes. We do not request write access to your Google account.

After the first Google sign-in, the app may automatically sync accessible Search Console and GA4 properties into your workspace. Report generation then uses the selected connected property and any related data needed to produce the report.

We use Google-derived data only to provide, secure, and improve the requested reporting features. We do not sell Google user data or use it for unrelated advertising purposes.

5. Google Analytics 4 website tracking

We use Google Analytics 4 to measure how visitors use the website, including page views, navigation events, approximate device and browser details, referrer information, and interaction events.

Google Analytics 4 is activated only after you accept analytics cookies in the consent banner. If you decline, the Google tag is not loaded. You can change your choice later at any time through Cookie settings in the footer.

6. Vercel Analytics

We use Vercel Analytics to measure how visitors use the website. This may include page views, referrers, device type, browser type, and country of origin (derived from IP address). Vercel Analytics does not set cookies and does not use persistent identifiers.

Processing is based on our legitimate interest in measuring website usage (Article 6(1)(f) GDPR). Because no cookies or client-side storage are used, § 25 TDDDG does not apply. You may object to this processing.

7. Recipients and processors

• Google, for OAuth sign-in, as the connected data source for Search Console and GA4, and as the provider of Google Analytics 4 website analytics after consent.
• OpenAI, to process selected report context, URLs, metrics, and structured audit data in order to generate AI-assisted report output.
• Stripe, to create customer records, process subscriptions, and manage the billing portal.
• Vercel, to host and serve the web application.
• Hetzner/PostgreSQL, to host the application database and worker infrastructure in the EU.
• GlitchTip, to capture operational errors and security-relevant exceptions.
• Vercel Analytics, for cookieless measurement of page views, referrers, device type, and country of origin. Vercel processes this data on its own infrastructure; IP addresses are not stored persistently.

8. Data security

• All network traffic between your browser, our servers, and third-party processors is encrypted in transit using TLS (HTTPS).
• Google OAuth tokens — including access tokens, refresh tokens, and ID tokens — are encrypted at rest using AES-256-GCM with unique initialisation vectors before being stored in the database.
• Google user data obtained through the Search Console and Analytics APIs is stored in an encrypted database and protected by the same access controls that apply to all application data.
• The application database is hosted on operator-managed PostgreSQL infrastructure in the EU with restricted network exposure and authenticated administrative access.
• Access to production infrastructure, the database, and encryption keys is restricted to the operator and protected by strong authentication.
• We maintain procedures to detect, investigate, and respond to security incidents, including notifying affected users and supervisory authorities where required by applicable law.
• Third-party processors are selected with regard to their technical and organisational security measures and are bound by data processing agreements.

9. International transfers

Some processors may process or make data accessible outside the EU/EEA, including the United States. This can apply in particular to Google, OpenAI, Stripe, Vercel, and GlitchTip depending on the service flow and subprocessors involved.

Where required, we rely on transfer mechanisms such as adequacy decisions, the EU-U.S. Data Privacy Framework where applicable, or standard contractual clauses and related safeguards.

10. Retention

• Account profile and workspace records are retained for as long as the account remains active, unless a longer retention period is legally required.
• Reports, generated insights, and related metrics remain available while the account is active, subject to deletion requests and operational retention windows.
• If you disconnect a Google data source or revoke access, the associated tokens are deleted promptly. If you delete your account, all stored Google user data — including tokens, synced properties, and report data — is deleted.
• Feedback submissions, audit logs, and security events are retained for as long as needed for support, abuse prevention, and accountability, then deleted or anonymized in line with operational retention rules.
• Billing and accounting records may be retained longer where tax or commercial law requires it.

11. Required data and automated decision-making

Certain data is required to create an account, connect Google data sources, purchase a paid plan, or generate reports. If you do not provide the required data for those steps, we may be unable to provide the relevant part of the service.

We do not use solely automated decision-making, including profiling, that produces legal effects or similarly significant effects within the meaning of Article 22 GDPR.

12. Cookies and device storage

We use cookies and other device storage that are necessary to run the service and remember basic UI state. This includes authentication/session cookies, a sidebar-state cookie, and local storage entries used for onboarding, pending UI actions, and your saved analytics consent preference.

If you accept analytics cookies, we also load the Google tag for Google Analytics 4 website measurement. If you decline, the Google tag remains disabled.

13. Your rights

• You may request access to your personal data, rectification, erasure, restriction of processing, data portability, or object to processing where the law grants that right.
• Where processing is based on consent, you may withdraw or change that consent at any time without affecting prior processing, including through Cookie settings in the footer.
• You may lodge a complaint with a competent supervisory authority. For Hesse, Germany, this is currently Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI), Wiesbaden.

14. Changes to this notice

We may update this notice when the product, processors, or legal requirements change. Material updates will be communicated through the service or by email where appropriate.