Google API Services Disclosure

Last updated: May 7, 2026

This page is a focused disclosure of how Clevertrek uses data obtained from Google APIs ("Google User Data"). It complements, and should be read together with, the Privacy Policy (in particular Section 10) and the Terms of Service.

This page is designed to be self-contained for the purposes of the Google API Services verification process: any reviewer can read it on its own to assess our scopes, our use of Google User Data, our compliance with the Limited Use requirements, our retention practices, and how users can revoke access.

Clevertrek is operated by Fernando Beneitez Vela-Hidalgo, a sole proprietor under Spanish law, holder of NIF 75794423Q, with registered address at Avenida del Hotel, 1, 15º, 08860 Castelldefels, Barcelona, Spain.

1. Application Identity

Application name (as shown on the OAuth consent screen): Clevertrek
Operator: Fernando Beneitez Vela-Hidalgo (sole proprietor, NIF 75794423Q)
Verified domain: the public Clevertrek domain (matches the homepage, Privacy Policy URL, and Terms of Service URL configured on the Google Cloud Console OAuth consent screen)
Privacy Policy: see /privacy-policy
Terms of Service: see /terms-of-service
Support contact: support@clevertrek.com
Privacy contact: privacy@clevertrek.com
Security contact: security@clevertrek.com

2. Google APIs and OAuth Scopes Requested

Clevertrek requests only the following Google APIs and OAuth scopes, and only to the extent necessary to provide the user-facing features described below.

Google API	OAuth scope(s)	Sensitivity (per Google)	User-facing feature
Google Sign-In / OpenID Connect	`openid`, `profile`, `email`	Non-sensitive	Account creation and authentication ("Sign in with Google")
Google Search Console API	`https://www.googleapis.com/auth/webmasters.readonly`	Sensitive	"Search Console" feature inside the user's Workspace, displaying SEO and search-performance data for properties that the user verifies in Search Console
Google Picker API + Drive (file-by-file)	`https://www.googleapis.com/auth/drive.file`	Sensitive (narrow file-by-file scope, not the broad `drive` or `drive.readonly` scope)	"Add from Google Drive" file picker, used to attach files the user actively selects to their Clevertrek Workspaces
Google Analytics Data API (GA4)	`https://www.googleapis.com/auth/analytics.readonly`	Sensitive (read-only scope, not the broader `analytics` or `analytics.edit` scope)	"Google Analytics (GA4)" addon inside the user's Workspace, displaying the user's own GA4 traffic and engagement metrics for properties their Google account has access to

Clevertrek does not currently request:

the broad https://www.googleapis.com/auth/drive scope or the auth/drive.readonly scope;
the broader analytics or analytics.edit scopes (we use only the read-only analytics.readonly);
any Gmail scope;
any Google Calendar scope;
any Restricted scope (per Google's classification).

If new scopes are added in the future, this page, the Privacy Policy, and the OAuth consent screen will be updated accordingly. Any new Sensitive or Restricted scope will go through Google's verification (and, where applicable, security assessment) before being enabled in production.

3. How Each Scope Is Used

3.1 Google Sign-In (`openid`, `profile`, `email`)

Used to:

create or look up a Clevertrek Account;
authenticate the user on subsequent logins;
display the user's name and avatar inside the Service.

No further use. This data is not used for advertising, profiling, or AI-model training.

3.2 Google Search Console (`webmasters.readonly`)

Used to display, inside the user's own Workspace, SEO and search-performance information for the properties that the user has verified in Search Console.

Specific operations performed:

list the user's verified Search Console properties (sites.list);
query search performance metrics (clicks, impressions, CTR, position) by query, page, country, device, and date (searchanalytics.query);
display indexing-status information for selected URLs (urlInspection.index.inspect).

Read-only. Clevertrek does not use any write/modify endpoint of the Search Console API. The scope requested is the read-only variant.

Where the data flows: Search Console responses flow from Google directly to the Clevertrek server that handles the user's request, are processed to render charts and tables, and are returned to the user's browser inside their authenticated Workspace.

3.3 Google Drive — Picker, file-by-file (`drive.file`)

Used to let the user select files from their own Google Drive and attach them to a Workspace, via the Google Picker UI hosted by Google.

Narrow scope. The drive.file scope grants Clevertrek access only to files the user has explicitly opened or created with Clevertrek through the Picker. Clevertrek cannot enumerate the user's Drive, cannot access folders or files outside the Picker selection, and cannot read the user's full Drive contents.

Specific operations performed:

launch the Google Picker UI inside the Clevertrek interface;
receive the metadata of files actively selected by the user (file ID, file name, mime type, web view link);
when the user later opens an attached Drive file from Clevertrek, fetch only the file the user has chosen.

3.4 Google Analytics Data API — GA4 (`analytics.readonly`)

Used to display, inside the user's own Workspace, traffic and engagement information for the GA4 properties that the user's Google account has access to.

Specific operations performed:

list the GA4 properties accessible by the user's Google account (Account / Property listings via the Admin API where applicable);
query GA4 reports through the Google Analytics Data API (runReport, batchRunReports, runRealtimeReport) to retrieve user-selected dimensions and metrics (such as users, sessions, page views, events, conversions, traffic sources, devices, countries) for date ranges chosen by the user;
display the resulting reports as charts and tables inside the user's authenticated Workspace.

Read-only. Clevertrek requests the read-only scope https://www.googleapis.com/auth/analytics.readonly and never the broader analytics or analytics.edit scopes. Clevertrek does not call write or modify endpoints, does not use any management/admin write operations, and does not modify GA4 configurations on the user's behalf.

No Universal Analytics. Clevertrek does not access deprecated Universal Analytics data through this scope, and does not request any UA-specific scope.

Where the data flows: GA4 responses flow from Google directly to the Clevertrek server that handles the user's request, are processed to render charts and tables, and are returned to the user's browser inside their authenticated Workspace.

4. Limited Use of Google User Data — Affirmative Statement

Clevertrek's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

This means specifically:

(a) Allowed use only. Google User Data is used only to provide or improve user-facing features that are prominent in the Clevertrek user experience — namely Google Sign-In, the Search Console feature inside Workspaces, the Drive file picker for attachments, and the GA4 addon inside Workspaces. Google User Data is not used for any other purpose.

(b) No transfer. Google User Data is not transferred to third parties except:

as strictly necessary to operate user-facing features (e.g., the hosting infrastructure that runs Clevertrek);
to comply with applicable law or a valid legal request;
as part of a merger, acquisition, or sale of assets, with prior notice to users.

(c) No advertising. Google User Data is not used for any advertising purpose, including personalized advertising, retargeting, or sale of advertising inventory. Clevertrek does not run ads in the Service and does not share Google User Data with any advertising platform.

(d) No unrelated AI/ML training. Google User Data is not used to develop, improve, or train generalized AI or machine-learning models, whether Clevertrek's own or those of third parties. AI Features inside Clevertrek (powered by Anthropic's Claude API) do not receive Google User Data: Search Console responses, Drive metadata, GA4 responses, and other Google User Data are not transmitted to Anthropic.

(e) No human reading. No human at Clevertrek reads any user's Google User Data, except: (i) with the user's affirmative consent for specific Google User Data; (ii) where necessary for security purposes (such as investigating abuse or a security incident); (iii) where necessary to comply with applicable law; or (iv) on data that has been aggregated and anonymized for internal operations.

5. Subprocessors That May Process Google User Data

Google User Data is processed only by the following categories of subprocessors, and only to the extent strictly necessary to operate the Service:

Hosting and infrastructure provider that hosts Clevertrek's servers and database;
Error-monitoring provider (where used) that may receive technical error traces, configured to scrub Google User Data from payloads where reasonably possible.

Google User Data is not transmitted to:

the AI provider (Anthropic);
payment processors (Stripe);
email-delivery providers;
analytics providers;
any advertising or marketing platform.

The current list of subprocessors is available on request and, for Team/Enterprise customers, in Annex III of the Data Processing Addendum.

6. Storage and Security of Google User Data

TLS is used for all communications between the user's browser, Clevertrek's servers, and Google APIs.
OAuth refresh and access tokens are encrypted at rest (AES-256-CBC), so that tokens are not readable from a database export.
Least-privilege access controls are enforced on the production environment.
Logging and monitoring alert on unusual API call patterns.
Token rotation and revocation is performed when suspected compromise is detected.
Clevertrek does not request scopes it does not actively use, and does not use scopes broader than the user-facing feature requires.

7. Retention of Google User Data

Type of Google User Data	Retention rule
OAuth refresh / access tokens	Stored encrypted at rest while the integration is active; deleted within a reasonable period (typically a few days) after disconnection or Account closure
Sign-In identity (name, email, profile picture, Google account ID)	Stored in the user's Account profile while the Account is active; deleted on Account closure
Search Console responses	Cached short-term (typically minutes to hours) for performance; no long-term server-side dataset is built
Drive file metadata of attachments	Retained while the attachment exists in a Workspace; deleted when the attachment is removed
GA4 responses	Cached short-term (typically minutes to hours) for performance; no long-term server-side dataset is built

8. How Users Revoke Access and Delete Their Google User Data

A user can revoke Clevertrek's access to their Google account at any time, in two equivalent ways:

From inside Clevertrek, by disconnecting the relevant integration in Account → Connections (or the equivalent integration management screen).
From the Google Account, at https://myaccount.google.com/permissions, by removing Clevertrek from the list of connected applications.

When access is revoked:

the OAuth tokens stored by Clevertrek for that integration are invalidated and deleted within a reasonable period;
cached Google User Data tied to that integration is deleted;
references to Drive attachments that can no longer be retrieved will be marked as unavailable inside the user's Workspaces.

To request deletion of all data associated with a Clevertrek Account, the user can use the procedure described in Section 19 of the Privacy Policy ("Your Rights Under GDPR").

9. Reporting Security Issues

Security researchers and Google's security teams can report issues at security@clevertrek.com. Good-faith reports submitted in line with reasonable disclosure practices will not be subject to legal action by Clevertrek.

10. Updates to This Disclosure

When Clevertrek's use of Google APIs changes — new scopes, new features, new subprocessors that handle Google User Data — this page and the corresponding Section 10 of the Privacy Policy will be updated. The "Last updated" date at the top of this page reflects the most recent change.

11. Contact

Clevertrek (Fernando Beneitez Vela-Hidalgo, sole proprietor, NIF 75794423Q) Avenida del Hotel, 1, 15º 08860 Castelldefels, Barcelona, Spain

Privacy contact: privacy@clevertrek.com
Security contact: security@clevertrek.com
General legal contact: legal@clevertrek.com

Google API Services Disclosure

1. Application Identity

2. Google APIs and OAuth Scopes Requested

3. How Each Scope Is Used

3.1 Google Sign-In (openid, profile, email)

3.2 Google Search Console (webmasters.readonly)

3.3 Google Drive — Picker, file-by-file (drive.file)

3.4 Google Analytics Data API — GA4 (analytics.readonly)

4. Limited Use of Google User Data — Affirmative Statement

5. Subprocessors That May Process Google User Data

6. Storage and Security of Google User Data

7. Retention of Google User Data

8. How Users Revoke Access and Delete Their Google User Data

9. Reporting Security Issues

10. Updates to This Disclosure

11. Contact

3.1 Google Sign-In (`openid`, `profile`, `email`)

3.2 Google Search Console (`webmasters.readonly`)

3.3 Google Drive — Picker, file-by-file (`drive.file`)

3.4 Google Analytics Data API — GA4 (`analytics.readonly`)