TagEasy

Privacy Policy

Last updated: 2026-05-21

Summary

TagEasy is a tool for configuring Google Tag Manager and Google Analytics on websites you own or operate. This policy describes what data about you— the TagEasy customer — we collect, why, and what you can do about it. It does not describe the data your end-users generate through the tracking you configure; that's governed by your own privacy policy and Google's.

Data we collect

Account data

  • Your email, name, hashed password (if you sign up with credentials), and your Google account email (if you sign in with Google).
  • Organization name, website domain(s), industry, optional description.
  • Stripe customer ID, subscription status, plan, billing period — billing details (card numbers, etc.) live in Stripe, not in our database.

Usage data

  • Tracking event definitions you create (selectors, dataLayer keys, etc.).
  • Aggregated counts of events fired (for plan-limit enforcement).
  • Logs of significant actions (account creation, website creation, subscription changes) in our activity log.

Connected Google data (opt-in)

When you connect your Google account, we store an OAuth refresh token so the Service can act on your behalf against the Google APIs you authorize. We request only these scopes:

  • analytics.readonly — read your Google Analytics 4 metrics for reconciliation, AI insights, and health summaries.
  • analytics.edit — create GA4 custom dimensions when you use the dataLayer-variable feature.
  • tagmanager.edit.containers — read and write the tags, triggers, and variables in the Google Tag Manager container you select, so TagEasy can build, publish, and audit your tracking.
  • userinfo.email — identify which Google account is connected.

We only access the GA4 properties and GTM containers you explicitly select. You can revoke access at any time from your Google account settings or from Settings → Account → Disconnect Google.

Limited Use of Google user data

TagEasy's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including its Limited Use requirements. Specifically:

  • We use Google user data only to provide the user-facing features you connect it for — GTM setup and publishing, GA4 reconciliation, insights, and health monitoring.
  • We do not use or transfer Google user data for advertising, and we do not sell it.
  • We do not let humans read your Google user data unless you give explicit consent (for example, to resolve a support request), it is necessary for security or to comply with the law, or the data is aggregated and anonymized.
  • We do not transfer Google user data to third parties except as needed to provide the Service, to comply with the law, or as part of a merger or acquisition.

How we use it

  • To operate the Service (let you log in, save your configurations, send tracking code).
  • To bill you (via Stripe).
  • To send service-related emails (password resets, weekly health summaries you opt into).
  • To monitor health and improve the product (aggregated, non-identifying telemetry).

How we share it

We don't sell your data. We share it with these processors only as needed:

  • Stripe — billing.
  • Resend — transactional + summary emails.
  • OpenAI / Anthropic — when you use AI features, the prompt content is sent to the configured provider. No data is sent if you have no API key configured.
  • Vercel — hosting and request logs.
  • Google — only as needed to call APIs you authorized.

Cookies

We use first-party cookies for:

  • Session authentication (NextAuth).
  • Current organization selector (tageasy-org).
  • Active admin impersonation (tageasy-impersonate) — admin role only.

No advertising or analytics cookies on TagEasy itself.

Data retention

  • Account, organization, and event definition data: retained while your account is active.
  • Activity log: retained for 24 months.
  • Event health logs: retained for 12 months.
  • When you delete your account, we remove the above within 30 days.

Your rights

Subject to applicable law (GDPR, CCPA, etc.), you have the right to:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Delete your account (this also deletes the data we hold about you).
  • Export your data (you can export your event configurations from the dashboard).
  • Object to processing or restrict it.

To exercise these rights, email admin@hexcorp.io.

Browser extension (TagEasy Inspector)

The optional TagEasy Inspector Chrome extension runs in your browser and observes dataLayer events on whichever page you have open. It does not transmit page content, browsing history, or personal data anywhere.

If you paste a TagEasy extension key into the popup, the extension makes one outbound call:

  • To tageasy.io/api/extension/match only — sends the current page's hostname (e.g. shop.example.com) along with your key. We respond with the list of tags you have configured for that domain in your TagEasy account. We log the request for rate-limiting only; we do not store the request body.

Without a key, the extension makes no network calls at all and is a pure local-page utility. Storage permission is used solely to remember the key locally so you don't re-paste on every page.

Security

Passwords are bcrypt-hashed. OAuth refresh tokens and any service-account credentials are encrypted at rest. Connections use HTTPS. We use Stripe for all card processing — no card data touches our systems.

Children

TagEasy is not directed at children under 16. We don't knowingly collect data from them.

Changes

We may update this policy from time to time. Material changes will be announced via email or in-product notice.

Contact

Questions or requests? Email admin@hexcorp.io.