Plask

Privacy Policy

Last updated: March 7, 2026

1. Introduction

Plask ("we," "our," or "us") provides a software-as-a-service platform that connects to your Google Analytics 4 properties to deliver automated anomaly detection and AI-generated weekly digests. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

By using Plask, you agree to the collection and use of information in accordance with this policy.

2. Information We Collect

2.1 Account Information

When you sign in with Google, we receive and store your name, email address, and profile picture from your Google account. This information is used to identify your account and personalize your experience.

2.2 Google Analytics Data

With your explicit authorization, we access your Google Analytics 4 property data through the Google Analytics Data API. This includes metrics such as active users, sessions, screen views, and event counts. We request the analytics.readonly scope, which provides read-only access to your analytics data. We cannot modify your Google Analytics configuration.

2.3 OAuth Tokens

To access your Google Analytics data on your behalf, we store OAuth access and refresh tokens. These tokens are encrypted at rest using AES-256-GCM encryption before being stored in our database. Tokens are only used to retrieve your analytics data and are never shared with third parties.

2.4 Payment Information

If you subscribe to our Pro plan, payment processing is handled entirely by Stripe. We do not store your credit card number, bank account details, or other sensitive financial information on our servers. We retain only your Stripe customer ID and subscription status to manage your account tier.

2.5 Usage Data

We use Google Analytics 4 on our own website to collect usage data such as pages visited, features used, button clicks, and interaction patterns. This data helps us understand how the service is used and improve the product. Google Analytics may collect your IP address, browser type, device information, and approximate location. This data is processed by Google in accordance with the Google Privacy Policy. You can opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on.

3. How We Use Your Data

We use the information we collect to:

  • Provide and maintain the Plask service, including daily metrics synchronization and dashboard display.
  • Detect anomalies in your analytics data using statistical analysis (modified Z-score over a 28-day rolling window) and notify you of significant changes.
  • Generate AI-powered weekly digest summaries of your analytics trends and performance.
  • Send you email notifications for anomaly alerts and weekly digests (Pro plan only).
  • Process subscription payments and manage your account tier.
  • Communicate with you about service updates or issues.

4. Sharing, Transfer & Disclosure of Google User Data

Plask's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We access your Google Analytics data (metrics such as active users, sessions, and page views) using OAuth tokens you authorize. Here is exactly how that data is shared, transferred, or disclosed:

  • Anthropic (Claude AI) — Aggregated, anonymized analytics metrics (e.g., user counts, session totals, week-over-week percentage changes) are sent to Anthropic's Claude API to generate your weekly digest summaries. No personally identifiable information, raw Google user data, or OAuth tokens are sent to Anthropic.
  • Resend (Email delivery) — When sending alert or digest emails, the email body may contain summarized analytics metrics (e.g., "DAU dropped 40%"). Resend receives your email address and the notification content for delivery only.
  • Supabase (Database hosting) — Your synced analytics metrics are stored in a Supabase-hosted PostgreSQL database. OAuth tokens are encrypted with AES-256-GCM before storage. Supabase acts as a data processor and does not access or use your data independently.
  • Vercel (Application hosting) — Plask is hosted on Vercel's infrastructure. All HTTP requests, including those containing analytics data, pass through Vercel's servers during normal application operation. Vercel acts as an infrastructure provider and does not access, inspect, or use your Google user data.
  • No other third parties — We do not sell, rent, trade, or otherwise disclose your Google user data to any other third parties, including advertisers, data brokers, or information resellers.

All third-party services listed above act solely as data processors on our behalf and are contractually prohibited from using your data for any purpose other than providing their service to us.

5. Third-Party Services

We use the following third-party services to operate Plask. Each service receives only the minimum data necessary to perform its function:

5.1 Google (Authentication, Analytics API & Site Analytics)

We use Google OAuth for authentication, the Google Analytics Data API to retrieve your GA4 property data, and Google Analytics 4 on our own website to measure usage and improve the product. Google's use of your data is governed by the Google Privacy Policy.

5.2 Supabase (Database)

Your account information, analytics metrics, alerts, and digests are stored in a Supabase-hosted PostgreSQL database. OAuth tokens are encrypted before storage. Supabase provides infrastructure-level encryption at rest and in transit.

5.3 Stripe (Payments)

Payment processing is handled by Stripe. When you subscribe to Pro, your payment information is sent directly to Stripe and never passes through our servers. Stripe's privacy practices are described in the Stripe Privacy Policy.

5.4 Anthropic (AI Digests)

Weekly digest summaries are generated using Anthropic's Claude AI. We send aggregated, anonymized analytics metrics (such as user counts, session trends, and week-over-week changes) to Claude for summarization. No personally identifiable information or raw user data from your Google Analytics properties is sent to Anthropic.

5.5 Resend (Email)

We use Resend to deliver email notifications including anomaly alerts and weekly digests. Resend receives your email address and the content of the notification being sent.

5.6 Vercel (Hosting)

Plask is deployed on Vercel's cloud platform. Vercel provides the server infrastructure that runs our application and processes all HTTP requests. Vercel's privacy practices are described in the Vercel Privacy Policy.

6. Data Storage & Security

We take the security of your data seriously and implement the following measures:

  • OAuth tokens are encrypted using AES-256-GCM before database storage, with version-prefixed payloads supporting key rotation.
  • All data is transmitted over HTTPS/TLS encrypted connections.
  • Database access is restricted to authenticated application connections only.
  • Payment data is handled exclusively by Stripe, a PCI DSS Level 1 certified payment processor.
  • We use JSON Web Tokens (JWT) for session management, with tokens signed using a secure secret.

7. Data Retention

We retain your data for as long as your account is active. Historical analytics metrics are stored indefinitely to enable trend analysis and anomaly detection. If you delete your account, we will:

  • Delete your account information and profile data.
  • Revoke and delete all stored OAuth tokens, removing our access to your Google Analytics data.
  • Delete all stored analytics metrics, alerts, and digests.
  • Cancel any active Stripe subscription (Stripe may retain records per their own retention policy).

Some data may be retained in database backups for a limited period consistent with our backup retention schedule.

8. Your Rights

You have the right to:

  • Access the personal data we hold about you.
  • Export your stored analytics data.
  • Delete your account and all associated data.
  • Revoke Google Analytics access at any time through your Google Account permissions.
  • Opt out of email notifications through your dashboard settings.

To exercise any of these rights, contact us using the information below.

9. Cookies

Plask uses the following cookies:

  • Session cookie — An essential cookie to keep you signed in.
  • Google Analytics cookies (_ga, _ga_*) — Used to distinguish unique visitors and track site usage. These cookies are set by Google Analytics and expire after 2 years. No advertising or cross-site tracking cookies are used.

We do not use advertising cookies or third-party tracking cookies.

10. Children's Privacy

Plask is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the service after changes constitutes acceptance of the updated policy.

12. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact us at:

[email protected]