Skip to main content
Home/Privacy Policy

Privacy Policy

Last updated: March 31, 2026

Short version: StackXray connects to your Google properties with read-only access. We never store your clients' raw analytics data. All AI analysis runs in-memory and is discarded after your report is generated. We store only what's necessary to run the service.

1. Who We Are

StackXray is operated by The Kern Group LLC, a Missouri limited liability company. References to "StackXray," "we," "us," or "our" refer to The Kern Group LLC and the StackXray service at stackxray.io.

Contact: privacy@stackxray.io

2. What Data We Collect

Account Information

When you create an account, we collect:

  • Name and email address (via Clerk authentication)
  • Organization name
  • Billing information (processed and stored by Stripe — we do not store card numbers)
  • Account preferences and settings

Google OAuth Access

When you connect a client's Google properties, you grant StackXray OAuth access with the following read-only scopes:

PlatformScopePurpose
Google Analytics 4analytics.readonly, analytics.manage.users.readonlyRead GA4 property config, data streams, and conversion events
Google Tag Managertagmanager.readonlyRead container tags, triggers, and variables
Search Consolewebmasters.readonlyRead search performance, coverage, and sitemap data
Google Adsadwords (read-only via API)Read campaign structure, conversion tracking, and bidding config
Merchant Center (coming soon)Not yet available. Will be added in a future release.

We request read-only permissions only. StackXray cannot create, modify, or delete any data in your Google properties. This is enforced at the OAuth scope level.

Usage and Log Data

We collect standard server logs including IP addresses, browser type, pages visited, and audit timestamps. This data is used for security monitoring and service improvement.

3. What We Do NOT Store

We do not store:

  • Your clients' raw analytics data (GA4 event data, session data, user data)
  • Raw Google Ads campaign performance data or conversion event data
  • Search Console search query data
  • GTM container raw tag configurations beyond what appears in your report
  • Merchant Center product catalog data (Merchant Center integration coming soon)
  • Any personally identifiable information belonging to your clients' end users

4. How We Process Data

In-Memory Analysis

When you run an audit, StackXray:

  • Collects the necessary configuration and aggregate data from Google APIs
  • Passes that data to Anthropic's Claude API for analysis
  • Generates your audit report
  • Discards all raw API response data immediately after the report is generated

The raw Google API data exists only in memory during the analysis window. It is never written to disk or a database.

What Is Stored

After analysis is complete, we store:

  • The structured findings and scores output by the analysis (the content of your report)
  • Generated PDF reports (encrypted at rest in Supabase Storage)
  • Audit metadata: timestamp, platforms audited, client name, overall score
  • Encrypted Google OAuth refresh tokens (AES-256-GCM) — necessary to support scheduled re-audits

OAuth Token Storage

To support scheduled audits and re-runs, we store your Google OAuth refresh tokens. These are encrypted at rest using AES-256-GCM encryption before being stored in our database. The encryption key is stored separately from the encrypted tokens. You can revoke access at any time from your Google Account security settings or from your StackXray account settings, which deletes the stored tokens immediately.

5. Third-Party Subprocessors

We use the following subprocessors to deliver the StackXray service:

SubprocessorPurposeData Shared
AnthropicAI analysis (Claude API)Structured audit data during analysis — no raw client PII
VercelApplication hostingServer logs, request data
Supabase (via AWS)Database and file storageAccount data, report findings, encrypted tokens
ClerkAuthenticationEmail address, name, session data
StripePayment processingBilling information — card data never touches our servers
Trigger.devBackground job processingAudit job payloads (audit IDs, org IDs) — no raw analytics data
ResendTransactional emailEmail address, report delivery

6. Google API Services Disclosure

StackXray's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically:

  • We use Google user data only to provide the StackXray audit service
  • We do not use Google user data for advertising purposes
  • We do not sell Google user data to third parties
  • We do not use Google user data for any purpose beyond generating your audit report
  • Human access to Google user data is limited to security and debugging purposes, and only with your consent

7. Data Retention

We retain data as follows:

  • Audit reports and findings: Retained for the duration of your account, or until you delete them
  • OAuth tokens: Retained until you revoke access or delete your account
  • Account data: Retained for 30 days after account cancellation, then permanently deleted
  • Server logs: Retained for 90 days

8. Your Rights

You have the right to:

  • Access: Request a copy of all data we hold about you and your organization
  • Deletion: Request permanent deletion of your account and all associated data
  • Export: Export your audit reports and findings in CSV or PDF format at any time from your dashboard
  • Revoke access: Disconnect any Google property connection from your account settings — this immediately deletes the associated OAuth tokens from our database
  • Correction: Request correction of inaccurate account information

To exercise any of these rights, email privacy@stackxray.io. We will respond within 10 business days.

9. Security

We implement the following security measures:

  • All data in transit is encrypted via TLS 1.2 or higher
  • All data at rest is encrypted using AES-256
  • OAuth tokens are encrypted with AES-256-GCM before storage
  • Database access is restricted by role-level security (Supabase RLS)
  • Authentication is handled by Clerk with support for MFA
  • Security headers enforced on all routes: HSTS, X-Frame-Options, CSP

10. Cookies

StackXray uses cookies only for authentication session management (via Clerk). We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics on this site.

11. Children's Privacy

StackXray is a business-to-business service intended for marketing professionals and agencies. We do not knowingly collect data from anyone under 18 years of age.

12. Changes to This Policy

We will notify you by email if we make material changes to this privacy policy. Continued use of StackXray after notification constitutes acceptance of the updated policy. The "Last updated" date at the top of this page reflects the most recent revision.

13. Contact

For privacy questions, data requests, or to report a concern: