Privacy Policy

1. Who We Are

Legal entity: RCB Digital Solutions
Trading name: GetInlytics
Country of registration: India
Contact email: hello@getinlytics.com
Website: https://getinlytics.com

GetInlytics operates in two capacities for privacy law purposes:

• Data Controller when we collect and decide how to use information from visitors to getinlytics.com (our own website).
• Data Processor when clients install TagSense on their own websites. In that situation, the client (the website owner) is the Data Controller, and GetInlytics processes data strictly on their behalf and under their instructions.

We do not have a formally appointed Data Protection Officer (DPO). Our processing activities are not high-risk or large-scale enough to require mandatory DPO appointment under GDPR Art. 37. All privacy inquiries are handled directly at hello@getinlytics.com and responded to within 30 days.

2. Two Separate Data Contexts

Context A - Visitors to getinlytics.com

When you visit our website, use our free tools (GA4 Gap Analysis, SEO Optimiser, Vibe Check, GTM Cookbook), submit the contact form, or subscribe to our newsletter, GetInlytics is the Data Controller. We decide what is collected and why. Section 3 covers this in full.

Context B - Websites with TagSense installed

TagSense is a monitoring script that website owners (our clients) install on their own websites to understand how their analytics tags are performing. When you visit a website that has TagSense installed, the website owner is the Data Controller. GetInlytics processes data as a Data Processor on their behalf.

If you are on a website that uses TagSense and want to exercise your privacy rights (access, deletion, etc.), you must contact that website owner directly. Their privacy policy governs the collection. Section 4 of this policy explains what TagSense collects and what it does not.

3. Data Collected on getinlytics.com

3a. Website Analytics (Google Analytics 4)

We use Google Analytics 4 (GA4), installed via Google Tag Manager container GTM-TTRP67NH, to understand how visitors use our site.

• What is collected: Pages visited, time spent on page, approximate geographic location (country level only), browser type, device type, and how you arrived at our site (search, direct, referral).
• What is NOT collected: Your name, email address, or any information that identifies you directly. IP addresses are anonymised before storage.
• Legal basis: Consent (via Cookiebot banner) for EU/EEA and India users. Legitimate interests for other regions where analytics consent is not legally required.
• Data processed by: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Privacy Policy
• Retention: 14 months in GA4 (Google default). Aggregated reports retained indefinitely.
• Opt-out: Use our Cookiebot consent banner to decline analytics cookies at any time. Alternatively, install the Google Analytics Opt-out Browser Add-on.

3b. Free Tool Scan Submissions

When you submit a URL to our free tools (GA4 Gap Analysis, SEO Optimiser, Vibe Check), the URL is sent to our server for processing.

• What is collected: The URL you submit.
• Storage: URLs are processed in server memory and are NOT stored permanently. Scan results are generated and returned to your browser only.
• Legal basis: Performance of contract (i.e. delivering the scan result you requested).
• Exception - email reports: If you choose to receive your scan results by email, we temporarily store your email address and the scanned URL for up to 24 hours for report delivery. Both are permanently deleted after the report is sent.
• Hosting: Our server infrastructure runs on Google Cloud Run (us-central1 region) and Vercel. Submitted URLs are processed in these environments.

3c. Contact Form

When you fill in our contact form, we collect the information you submit.

• What is collected: Your name, email address, company or website (optional), service interest (optional), and your message.
• Legal basis: Legitimate interests in responding to your inquiry. You are providing information voluntarily to initiate communication with us.
• Where it is stored: Supabase (PostgreSQL database). Supabase operates in EU regions. Supabase Privacy Policy
• Retention: We retain contact form submissions for up to 2 years after the last correspondence, or until you request deletion, whichever comes first.
• Who sees it: GetInlytics team members only. We do not share contact form data with third parties.

3d. Newsletter Subscription

If you subscribe to our newsletter, we collect and process your email address.

• What is collected: Email address only.
• Legal basis: Consent - you explicitly opted in by submitting the subscription form.
• Where it is stored: Supabase (EU region).
• How emails are sent: Via Resend (a transactional email provider based in the United States). Standard Contractual Clauses apply for EU-to-US data transfers.
• Retention: Until you unsubscribe. Every newsletter email contains a one-click unsubscribe link.
• Withdrawal: Click "Unsubscribe" in any newsletter email, or email hello@getinlytics.com. Processing after withdrawal is complete within 48 hours.

4. TagSense - Data Processing on Client Websites

4a. What TagSense is

TagSense is a monitoring script that website owners voluntarily install on their own websites. Its purpose is to help those website owners understand whether their analytics and marketing tags are working correctly - for example, whether their Google Analytics tag is firing, whether their cookie consent banner is blocking tags as it should, and whether any unknown scripts have appeared on their checkout pages.

When TagSense is installed on a client website, GetInlytics acts as a Data Processor. The website owner is the Data Controller. GetInlytics processes data strictly according to the client's instructions and does not use that data for its own purposes.

4b. What TagSense Captures - Full Disclosure

The following categories of data are collected by TagSense on behalf of the website owner:

Session and Page Data (no personal data is collected in this category)

• Pseudonymised session ID: A randomly generated identifier that allows TagSense to group events from the same browser session. For users in the EU and India, this ID is hashed using the website hostname, making it impossible to link to an individual without additional information. No persistent identifiers are used. No cookies are set to maintain this ID.
• Page URL: The address of the page being monitored. Any URL parameters that look like personal data (email addresses, names, phone numbers) are automatically replaced with [REDACTED] before transmission.
• Page title: The text shown in the browser tab for the page being monitored.
• Referrer URL: The URL of the previous page (where the visitor came from). Personal data patterns in referrer URLs are auto-redacted.
• Device type: Whether the visitor is on a mobile phone, tablet, or desktop computer. This is derived from browser signals, not from any device identifier.
• Browser name: The browser being used (for example, Chrome, Safari, Firefox). No browser fingerprinting is performed.
• Viewport dimensions: The width and height of the visible browser window, measured in pixels.
• No IP addresses are collected or stored at any point.

Tag and Tracking Health Data

• Tag names and types: Which analytics, marketing, or functional tags fired on the page (e.g. "Google Analytics 4 - All Pages", "Meta Pixel - Purchase").
• Tag status: Whether each tag fired successfully or encountered an error.
• Tag duration: How long each tag took to execute, measured in milliseconds.
• GTM container ID: The Google Tag Manager container identifier, if the site uses GTM.

Consent State Data

• Consent grant status: Whether the visitor granted or denied analytics consent, advertising consent, and other consent categories at the time of each tag fire.
• CMP provider: Which cookie consent management platform (CMP) is installed on the website (for example, OneTrust, Cookiebot, or Usercentrics).
• Privacy signals: Whether the browser sent a Global Privacy Control (GPC) signal or a Do Not Track (DNT) signal. TagSense respects these signals in its own session ID pseudonymisation logic.

Network Request Data

• Vendor names: Which third-party services received data from the page (for example, Google Analytics, Meta, TikTok).
• Event names: What event names were sent to those vendors (for example, "page_view", "purchase").
• Request success or failure: Whether each network request to a third-party vendor succeeded or was blocked.
• Request latency: Approximate time taken for each network request, measured in milliseconds.
• Request URLs are sanitised: Full request URLs are not stored. Only the vendor domain and path structure are captured, with any query parameters containing personal data redacted.

Attribution Data (from URL parameters only)

• UTM parameters: Campaign tracking parameters in the page URL (utm_source, utm_medium, utm_campaign, utm_content, utm_term).
• Ad click IDs: Advertising platform click identifiers present in the URL, such as gclid (Google Ads), fbclid (Meta Ads), ttclid (TikTok Ads), and msclkid (Microsoft Ads). These are captured from the URL only - TagSense does NOT read cookies to obtain click IDs.

Security Data (payment and checkout pages only, when configured)

• Unknown script detection: Whether any unrecognised third-party scripts appeared on checkout or payment pages. This is used to detect potential security incidents such as script injection.
• Content Security Policy violations: Records of any browser-reported CSP violations on the monitored site.

4c. What TagSense Never Collects

4d. Data Processing Agreement

GetInlytics offers a Data Processing Agreement (DPA) to all clients who install TagSense on websites serving EU, EEA, UK, or Indian users. The DPA sets out the terms under which GetInlytics processes data as a processor on the client's behalf, including data security obligations, sub-processor disclosures, and data subject rights assistance.

To request a DPA, email hello@getinlytics.com with the subject line "TagSense DPA Request". We will respond within 5 business days.

4e. Sub-Processors Used for TagSense Data

5. Legal Basis for Processing by Region

European Union / EEA (GDPR)

• Analytics cookies (GA4): Consent (GDPR Art. 6(1)(a)) - obtained via Cookiebot consent banner.
• Contact form submissions: Legitimate interests (GDPR Art. 6(1)(f)) - our legitimate interest is responding to inquiries from prospective or existing clients.
• Newsletter subscription: Consent (GDPR Art. 6(1)(a)) - you explicitly opted in.
• Free tool scan submissions: Performance of contract (GDPR Art. 6(1)(b)) - processing is necessary to deliver the scan result you requested.
• TagSense data (processor role): Contract (GDPR Art. 6(1)(b)) - processing is governed by the client's instructions and our Data Processing Agreement.

India (Digital Personal Data Protection Act 2023)

GetInlytics (RCB Digital Solutions) acts as a Data Fiduciary under the DPDP Act 2023 for data collected on getinlytics.com from India-based users.

• All processing of personal data requires consent under the DPDP Act where no other lawful ground applies.
• Consent is obtained via our Cookiebot banner for analytics data.
• You may withdraw consent at any time by contacting hello@getinlytics.com.
• For grievances, contact hello@getinlytics.com. We will acknowledge within 48 hours and respond within 30 days.

California, United States (CCPA / CPRA)

• We do not sell personal information. We never have and never will.
• We do not share personal information for cross-context behavioural advertising.
• We do not use advertising pixels (no Meta Pixel, no TikTok Pixel, no Google Ads remarketing) on getinlytics.com.
• California residents may request to know what personal information we hold about them, request deletion, and request correction. Contact hello@getinlytics.com.
• We do not discriminate against you for exercising your privacy rights.

6. Your Privacy Rights

Depending on where you are located, you have some or all of the following rights. To exercise any of them, email hello@getinlytics.com with your name, the specific right you are exercising, and enough detail for us to identify the data in question. We will respond within 30 days.

Rights under GDPR (EU / EEA users)

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate personal data we hold.
• Right to erasure ("right to be forgotten"): Ask us to delete your personal data where we have no compelling reason to continue processing it.
• Right to data portability: Receive your personal data in a structured, machine-readable format.
• Right to restrict processing: Ask us to pause processing your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Right to lodge a complaint: If you believe we have breached GDPR, you may lodge a complaint with the supervisory authority in your EU member state. A list of EU data protection authorities is available at edpb.europa.eu.

Rights under DPDP Act 2023 (India users)

• Right of access: Request a summary of what personal data we hold and how it is processed.
• Right to correction: Ask us to correct inaccurate or incomplete personal data.
• Right to erasure: Ask us to delete personal data when the purpose for which it was collected has been fulfilled and retention is not required by law.
• Right to grievance redressal: Contact hello@getinlytics.com. We will acknowledge within 48 hours and respond fully within 30 days.
• Right to nominate: Nominate another person to exercise your rights in the event of your death or incapacity. Contact us for details.

Rights under CCPA / CPRA (California users)

• Right to know: Know what personal information we have collected about you, the purposes of collection, and who it has been disclosed to.
• Right to delete: Request deletion of personal information we have collected from you.
• Right to correct: Request correction of inaccurate personal information.
• Right to opt out of sale/sharing: We do not sell or share personal information. No action is needed, but you may contact us to confirm.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights.

Automated Decision-Making

We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on individuals.

7. Cookies

getinlytics.com uses only analytics cookies (Google Analytics 4). We do not use advertising cookies, tracking pixels, retargeting cookies, or cross-site tracking of any kind. Our full Cookie Policy, including tables of every cookie we set and instructions for managing your preferences, is available at getinlytics.com/cookie-policy.

Important note about TagSense: TagSense - our monitoring script that website owners can install on their own websites - sets zero cookies. TagSense uses only sessionStorage (cleared automatically when you close your browser tab) to hold a temporary, pseudonymised session identifier. No persistent cookies are set by TagSense on any website where it is installed.

Our cookie consent is managed by Cookiebot (free version). You can update your cookie preferences at any time by clicking "Manage Cookie Preferences" in our cookie banner, or by visiting our Cookie Policy.

8. International Data Transfers

RCB Digital Solutions is based in India. Some of the third-party processors we use are located outside India and the EU. Where personal data is transferred to countries that do not offer an equivalent level of data protection, we ensure appropriate safeguards are in place.

9. Security

• All pages on getinlytics.com are served over HTTPS with HSTS enforced.
• Security response headers are implemented across all pages: X-Frame-Options, Content Security Policy, X-Content-Type-Options, and Referrer-Policy.
• Supabase Row Level Security (RLS) is enabled on all database tables.
• OAuth tokens (used for GTM integration) are stored encrypted in Supabase.
• We perform periodic security reviews of our infrastructure.
• We never sell data to third parties under any circumstances.

Despite our best efforts, no internet transmission is completely secure. If you become aware of a security issue, please disclose it responsibly at hello@getinlytics.com.

10. Children

GetInlytics is not directed at children. We do not knowingly collect personal data from anyone under 16 years of age (or under 13 in the United States). If you believe we have inadvertently collected data about a child, please contact hello@getinlytics.com immediately and we will delete it without delay.

11. Contact Us

For all privacy-related inquiries, requests to exercise your rights, or concerns about how we handle your data:

Related pages: Terms of Service · Cookie Policy

Last updated: 31 May 2026