Privacy Policy
Last updated: June 4, 2026
This Privacy Policy explains what information Metricstab collects, why we collect it, and how you can manage it. Metricstab is owned and operated by PL Tech Labs, a company incorporated in India ("we", "us", or "our"). For the purposes of India's Digital Personal Data Protection Act, 2023 ("DPDPA"), we act as the Data Fiduciary for the personal data we hold about you. By using Metricstab you consent to the practices described here.
1. Information we collect
- Account data: email address, name, password hash, email verification state.
- Google account data: the Google account email you sign in with, plus an OAuth refresh token used to call Google APIs on your behalf (see Section 3).
- Google Search Console data: aggregated search performance metrics (clicks, impressions, CTR, average position, queries, page URLs, device, country, search appearance) for the verified properties you authorize.
- Google Analytics data (only if you connect Google Analytics 4): aggregated traffic metrics — sessions, users, conversions, and traffic source/medium — broken down by landing page, for the GA4 properties you authorize.
- PageSpeed Insights data: Lighthouse audit results and Core Web Vitals field data for URLs Metricstab tests on your sites.
- Usage data: server logs, page views, feature usage, error reports.
- Billing data: processed by Paddle (our merchant of record). We store only customer and subscription identifiers — never card numbers, CVCs, or bank account details.
2. How we use information
We use the data above to provide and improve the service:
- Generate reports, dashboards, and AI-driven insights for sites you authorize.
- Send transactional emails (account confirmation, billing receipts, scheduled report emails you've configured).
- Detect and prevent abuse, fraud, and security incidents.
- Debug errors and improve performance, reliability, and security.
We do not sell personal data, use Google user data for advertising, or share it with third parties for marketing.
3. Google API services and Limited Use compliance
Metricstab's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- We use the following Google OAuth scopes to provide our SEO reporting features:
openidandhttps://www.googleapis.com/auth/userinfo.email— to identify which Google account you connected.https://www.googleapis.com/auth/webmasters.readonly,https://www.googleapis.com/auth/webmasters— use your Search Console search-performance data (clicks, impressions, queries, pages, and similar) for the properties you select.https://www.googleapis.com/auth/analytics.readonly— read-only access to the Google Analytics 4 properties you select (only if you choose to connect Google Analytics; see our Google Analytics integration page).
- Metricstab uses all Google user data on a read-only basis: it reads and displays your data to generate your reports, and never modifies your Search Console or Analytics properties, settings, or configuration.
- Free sneak-peek reports (no account required): if you generate a free report from our homepage, we read your Search Console data once to build it and do not store your raw search data. We keep only the generated report (a handful of summary figures and insights — not your underlying query/page data) for up to 7 days so you can view and share it, then it is deleted. If you choose to have the report emailed to you, we store the email address you enter so we can send you the report and follow up about Metricstab; you can ask us to delete it at any time (see Sections 6 and 7). Otherwise, we retain your email address only if you create an account.
- Google user data is used only to generate the SEO reports, insights, and dashboards visible inside your Metricstab account.
- We do not transfer Google user data to third parties except as needed to provide the service (our infrastructure subprocessors listed under Subprocessors) or as required by law.
- We do not use Google user data for serving advertisements.
- We may use automated methods — including rules, statistical analysis, and artificial-intelligence / machine-learning techniques — to analyze your own Google user data solely to generate the reports and insights we show you. We do not use your Google user data to develop, improve, or train generalized or non-personalized AI/ML models, and we never use one customer's data to build models or features for any other customer.
- We do not allow humans to read Google user data unless we have obtained your explicit consent, it is required for security reasons (e.g., investigating abuse), or to comply with applicable law.
- You can revoke Metricstab's access to your Google account at any time at myaccount.google.com/permissions. Revocation stops further data sync immediately; data already cached in Metricstab can be deleted from your account (see Section 6).
4. How we share information
We share data only with the infrastructure subprocessors required to operate Metricstab — cloud hosting (Google Cloud Platform), email delivery (SendGrid), payments (Paddle), and error monitoring. See the Subprocessors list for the full set, what each one accesses, and where it is located.
We may disclose information when required by law, a court order, or other valid legal process, including under the Indian Information Technology Act, 2000 and the DPDPA, 2023, or to protect the rights, property, or safety of Metricstab, our users, or the public.
5. Where data is stored and processed
Metricstab is operated from India. Our production infrastructure runs on Google Cloud Platform in the United States. Database backups and the BigQuery analytics warehouse are encrypted at rest; data in transit is protected with TLS 1.2 or higher.
If you are located outside India (including in the EEA, UK, or California), your personal data will be transferred to and processed in the United States and accessed by our team in India. For EEA / UK transfers we rely on Standard Contractual Clauses where applicable. Under the DPDPA, 2023 we will transfer personal data of Indian residents outside India only to countries the Government of India has not restricted.
6. Data retention and deletion
While your account is active we retain your account data, connected-service tokens, and cached Search Console, Analytics, and PageSpeed data so the service can run. When you delete your account:
- Personal account data and OAuth tokens are deleted within 30 days.
- Cached Search Console, Analytics, and PageSpeed data tied to your account is removed within the same window.
- Encrypted backups roll off within 90 days.
To delete your account, go to Account settings or email hello@metricstab.com.
7. Your rights
You can access, export, correct, or delete your personal data from Account settings at any time, or by emailing hello@metricstab.com.
- India (DPDPA, 2023): the right to access, correction, completion, updation and erasure of personal data; the right to grievance redressal; and the right to nominate another person to exercise these rights in the event of your death or incapacity.
- EEA / UK (GDPR): the rights of access, rectification, erasure ("right to be forgotten"), restriction of processing, data portability, and to object to processing. You also have the right to lodge a complaint with your local supervisory authority.
- California (CCPA/CPRA): the right to know what personal information we collect and how it is used; the right to delete; the right to correct; the right to opt out of sale or sharing (we do not sell or share personal information); and the right to non-discrimination for exercising these rights.
8. Cookies and similar technologies
We use strictly necessary cookies (session, CSRF protection, "remember me") by default. Optional analytics cookies require your consent — see the Cookie Policy for details.
9. Security
We protect data with HTTPS in transit, encryption at rest, least-privilege access controls, dependency scanning, and ongoing security updates. We follow the "Reasonable Security Practices and Procedures" requirements under India's Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. Report vulnerabilities to hello@metricstab.com.
10. Children
Metricstab is not directed to children under 16, and we do not knowingly collect personal data from anyone under 16. Under the DPDPA, 2023, processing of personal data of a child (under 18 in India) requires verifiable parental consent; we do not knowingly process such data. If you believe we have, contact us and we will delete it promptly.
11. Changes to this policy
We may update this policy from time to time. Material changes will be announced in-app or by email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent change.
12. Grievance redressal and contact
For any privacy questions, data-subject requests, or grievances, email hello@metricstab.com. As required by Indian law, you may reach out to our designated grievance officer at the same address; we will acknowledge receipt within 24 hours and aim to resolve grievances within 30 days. A physical address for legal correspondence is available on request.
Questions? Email hello@metricstab.com or visit our support page.