Privacy Policy

Effective Date: 3 June 2025

Thank you for choosing to be part of the Ondigital community (“Company”, “we”, “us” or “our”). We are committed to protecting your personal information and your right to privacy. If you have any questions or concerns about this privacy notice or our practices with regard to your personal information, please contact us at [email protected].

When you visit our websites (including https://data.ondigital.io), use our mobile applications (the “Apps”), or engage with any related services, sales, marketing or events (collectively, the “Sites”), you trust us with your information. This notice explains, in clear language:

  1. What information we collect
  2. How and why we use Google user data
  3. With whom we share, transfer or disclose Google user data
  4. Our data-protection mechanisms for sensitive data
  5. How long we keep information & how you can delete it
  6. Your privacy rights

If any term in this notice is unacceptable to you, please discontinue use of our Sites and services.

1. What information do we collect?

A. Information you provide to us

  • Name and Contact Data – first and last name, email address, postal address, phone number and similar details.
  • Payment Data – card number and related details (processed by our PCI-compliant payment processor; we do not store full card numbers).
  • Social Login / Google Sign-In Data – when you choose to register or sign in using a Google account, we receive your Google-verified email address and, if you grant access, basic profile information.

B. Information we obtain from Google APIs (“Google user data”)

When you connect Google products such as Google Analytics 4, Google Ads or Google Search Console, we obtain:

  1. OAuth 2.0 access and refresh tokens
  2. The list of Google accounts and properties (e.g., Ads accounts, GA4 properties) you explicitly authorise
  3. Metrics, dimensions and configuration data that you instruct us to fetch for reporting or data-warehousing purposes

C. Automatically collected information

As you navigate our Sites we automatically collect certain data (IP address, device IDs, browser type, referring URLs, time-stamps, crash logs) for security and analytics. We also use cookies and similar technologies; see our Cookie Notice for details.

D. Information from other sources

We may receive limited information from public databases, marketing partners and social networks, but never in a way that contradicts this Privacy Policy.

2. How do we use Google user data?

We use and process Google user data only for the purposes you have authorised:

  • Account & property discovery – to list the Google Ads accounts, GA4 properties, Search Console properties etc. that you can connect inside our data-management platform.
  • Data extraction – to fetch advertising, analytics and search-performance metrics that you have selected.
  • Storage & modelling – to save those metrics either (a) in our managed Google BigQuery projects or (b) in a BigQuery project that you own and control, according to the storage option you choose.
  • Display & reporting – to show dashboards, charts and exports inside the Ondigital interface or via our APIs.
  • Support & troubleshooting – to investigate service issues you report.

Limited Use Commitment Ondigital’s use and transfer of information received from Google APIs to any other app will comply with theGoogle API Services User Data Policy, including its Limited Use requirements. We never use Google user data to create user profiles for advertising, nor do we allow human access except as necessary for the uses listed above, with your consent, or as required by law.

We process Google user data on the legal bases of(i) contractual necessity (Art. 6 (1)(b) GDPR) and(ii) legitimate interest in providing and improving our services (Art. 6 (1)(f) GDPR), balanced against your privacy rights.

3. Sharing, transfer or disclosure of Google user data

We do not sell or rent Google user data. We share it only:

  1. With you – via our dashboards, API exports or data-warehouse tables you control.
  2. With your chosen storage provider – e.g., Google BigQuery, according to your configuration.
  3. With subprocessors who perform services on our behalf (cloud hosting, monitoring). All subprocessors are bound by written agreements requiring privacy and security measures no less protective than those described here.
  4. For legal reasons – if we are compelled by court order or governmental request, provided we give you prior notice where legally permissible.

Cross-border transfers: If we transfer Google user data outside the European Economic Area we rely on adequacy decisions, Standard Contractual Clauses or other lawful transfer mechanisms.

4. Data-protection mechanisms for sensitive data

  • Encryption in transit & at rest – All data moves over TLS 1.2+; Google OAuth tokens and sensitive datasets are encrypted at rest using AES-256.
  • Token minimisation – We request the minimum OAuth scopes required and cache tokens only while your connection is active.
  • Strict access controls – Role-based access, MFA for staff, least-privilege principles, audited access logs.
  • Segregated environments – Production data is isolated from development and testing environments.
  • Regular testing – Pen-tests, vulnerability scans and third-party security audits.
  • Incident response – 24/7 monitoring and documented procedures to notify affected users and authorities within the timelines required by GDPR and applicable law.

5. Data retention and deletion

  • OAuth tokens & metadata – retained only while the data source remains connected. Automatically deleted within 30 days after you disconnect the source or the token expires / is revoked.
  • Fetched metrics – retained in our managed BigQuery project for 36 months by default, unless you configure a different retention period or delete the data. If you store data in your own BigQuery project, retention is governed by your settings.
  • Back-ups & logs – retained for up to 90 days for security, fraud-prevention and recovery purposes.
  • Deletion requests – you may email [email protected] or use the in-app “Delete My Data” feature. We will erase all personal and Google user data in scope within 30 days, unless we must keep it to comply with legal obligations.

6. Your privacy rights

Depending on your location you may have the right to access, correct, erase, restrict or object to the processing of your personal data, as well as the right to data portability. To exercise any of these rights, contact us at [email protected]. You also have the right to lodge a complaint with your local supervisory authority (in Sweden, the IMY).

7. Updates to this notice

We may update this Privacy Policy from time to time. The “Effective Date” at the top indicates when the latest version came into force. If we make material changes we will notify you via email or a prominent notice in the product.