Privacy Policy | HeyMetrix | HeyMetrix
logoHeyMetrix
ImprintPrivacy Policy

Privacy Policy

Effective date: March 2026

1. Controller and Contact Information

The controller responsible for data processing on this website and through the HeyMetrix application is:

Franco Consulting GmbH
Maria-Theresia-Straße 17
89331 Burgau, Germany
Managing Directors: Kilian Franco and Lukas Kraus
Email: [email protected]
Commercial Register: HRB 210213, Amtsgericht Memmingen
VAT ID: DE358098950

2. Overview of HeyMetrix

HeyMetrix is a SaaS marketing analytics dashboard operated by Franco Consulting GmbH. It enables users to connect their advertising accounts (Google Ads, Meta Ads) via official APIs, monitor campaigns, receive alerts for budgets and KPI deviations, and generate performance reports. All data processing occurs on servers hosted by Hetzner in Germany and the European Union.

3. Legal Bases for Processing

We process personal data on the following legal bases under the General Data Protection Regulation (GDPR):

  • Art. 6(1)(a) GDPR — Consent: Where you have given explicit consent (e.g., for analytics cookies, connecting your Google Ads account via OAuth).
  • Art. 6(1)(b) GDPR — Contract: Where processing is necessary for the performance of our service agreement with you.
  • Art. 6(1)(f) GDPR — Legitimate Interest: Where we have a legitimate interest in processing (e.g., server security logs, fraud prevention), provided your rights do not override that interest.
  • Art. 6(1)(c) GDPR — Legal Obligation: Where processing is required to comply with legal obligations (e.g., tax or accounting records).

4. Account Registration and Authentication

To use HeyMetrix, you create an account using an email address and password. Authentication is handled through Appwrite, a self-hosted authentication service running on Hetzner servers in Germany. We store:

  • Your email address
  • Your name (if provided)
  • A securely hashed password (we never store plaintext passwords)
  • Session tokens for maintaining your login state

This data is processed on the basis of Art. 6(1)(b) GDPR (contract performance) and is stored for as long as your account exists.

5. Google OAuth and Google User Data

5.1 What Google User Data We Collect

When you connect a Google Ads or Google Analytics account to HeyMetrix, you authenticate via Google OAuth 2.0. Through this process, we receive:

  • OAuth profile information: Your Google account email address and basic profile information as provided by Google during the OAuth consent flow.
  • OAuth access and refresh tokens: These tokens allow us to make authorized, read-only API requests to Google APIs on your behalf.
  • Google Ads API data: Campaign structures, ad groups, ads, keywords, budgets, performance metrics (impressions, clicks, conversions, costs), account-level settings, and other read-only data retrieved through the Google Ads API.
  • Google Analytics (GA4) data: Property information, website traffic metrics, conversion data, audience information, and other read-only analytics data retrieved through the Google Analytics Data API.

We only request read-only access to your Google Ads and Google Analytics data. We do not modify, create, or delete any campaigns, settings, or analytics configurations in your Google accounts.

5.2 How We Use Google User Data

Google user data is used exclusively to provide, maintain, and improve the HeyMetrix service for you. Specifically, we use it to:

  • Display your Google Ads and Google Analytics data within the HeyMetrix dashboard
  • Monitor campaign performance and trigger alerts for budget overruns or KPI deviations
  • Generate performance reports that you request
  • Maintain your connections to Google services so data stays up-to-date
  • Power an optional AI-assisted chat feature that can answer questions about your campaign data (see Section 5.4 for details on the AI provider)

5.3 What We Do NOT Do with Google User Data

We do not sell Google user data to any third party.

Furthermore, we do not use Google user data for any of the following purposes:

  • Serving, targeting, or personalizing advertisements
  • Training artificial intelligence or machine learning models (note: while our optional AI chat feature processes campaign metadata via the OpenAI API, OpenAI does not use API data for model training, and no data is retained by OpenAI beyond the duration of the request)
  • Data brokering or reselling data to third parties
  • Assessing creditworthiness or for lending purposes
  • Any purpose unrelated to providing the HeyMetrix service to you

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.4 Who We Share Google User Data With

We do not share, transfer, or disclose Google user data to any third parties except as strictly necessary to provide the HeyMetrix service:

  • Hetzner Online GmbH (Germany/EU): Our infrastructure provider where all servers and databases are hosted. Hetzner acts as a data processor under a Data Processing Agreement (DPA) and processes data exclusively within the European Union.
  • OpenAI, L.L.C. (USA): Powers an optional AI-assisted chat feature within HeyMetrix. When you use this feature, limited campaign metadata (such as campaign names, ad group names, and high-level performance indicators) may be sent to the OpenAI API to generate responses. OpenAI processes this data under their API data usage policy, which states that API data is not used for model training and is not retained beyond the duration of the request. This data transfer is protected by Standard Contractual Clauses (SCCs) under Art. 46 GDPR.

We do not transfer Google user data to any other third parties, advertising networks, data brokers, or analytics providers.

5.5 Data Protection Mechanisms for Google User Data

We implement the following measures to protect Google user data:

  • Encryption in transit: All data transmitted between your browser, our servers, and Google APIs is encrypted using TLS 1.2 or higher.
  • Server-level encryption: All data is stored on servers with disk-level encryption. Database access is restricted to authenticated backend services only.
  • Access controls: Access to Google user data is strictly limited to authorized systems and personnel required for service operation. No employee has direct access to your raw Google Ads data.
  • Token security: OAuth refresh tokens are stored securely and are only used to obtain short-lived access tokens for API requests.
  • EU-only hosting: All data, including Google user data, is hosted on Hetzner servers located in Germany and the European Union.

5.6 Retention and Deletion of Google User Data

We retain Google user data for as long as your HeyMetrix account is active and the Google Ads or Google Analytics connection is maintained. Specifically:

  • OAuth tokens: Stored as long as your Google Ads account is connected. Immediately deleted when you disconnect your Google Ads account or delete your HeyMetrix account.
  • Google Ads and GA4 performance data: Retained for the duration of your active account to provide historical reporting. Deleted when you delete your account or request data deletion.

You can disconnect your Google Ads account at any time from within the HeyMetrix application, which will immediately revoke our access and delete stored OAuth tokens. You may also revoke access directly from your Google Account permissions page.

5.7 How to Request Deletion of Google User Data

You can request deletion of your Google user data at any time by:

  • Disconnecting your Google Ads account within HeyMetrix (Settings → Connected Accounts)
  • Deleting your HeyMetrix account entirely
  • Sending an email to [email protected] with the subject line "Data Deletion Request"

Upon receiving a deletion request, we will delete all associated Google user data from our systems within 30 days. We will confirm deletion via email.

6. Meta Ads Data

HeyMetrix also allows you to connect Meta (Facebook) Ads accounts via the Meta Marketing API. Similar to Google Ads, we request read-only access to retrieve campaign data, ad performance metrics, and account information. This data is used exclusively to provide the HeyMetrix service. The same data protection measures, retention policies, and deletion processes described for Google user data above apply equally to Meta Ads data.

7. General Data Collection

7.1 Server Log Files

When you visit our website, our hosting provider (Hetzner) automatically collects and stores information in server log files that your browser transmits. This includes:

  • IP address (anonymized where possible)
  • Date and time of the request
  • Requested URL and referrer URL
  • Browser type and version
  • Operating system
  • HTTP status code and data volume transferred

This data is processed on the basis of Art. 6(1)(f) GDPR (legitimate interest in ensuring server security and stability). Log files are automatically deleted after 30 days.

7.2 SSL/TLS Encryption

This website and the HeyMetrix application use SSL/TLS encryption for security reasons and to protect the transmission of confidential content, such as requests you send to us or login credentials. You can recognize an encrypted connection by the "https://" prefix in your browser's address bar and the lock icon.

7.3 Contact via Email

If you contact us by email (e.g., at [email protected]), we will store your email address and any information you provide in order to process your inquiry. This data is processed on the basis of Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in responding to inquiries). We will delete this data once your inquiry has been fully resolved, unless retention is required by law.

8. Cookies

Our website uses cookies. Cookies are small text files stored on your device by your browser. Some cookies are technically necessary for the website to function (e.g., session cookies). Other cookies are used for analytics or marketing purposes and are only set with your explicit consent.

You can manage your cookie preferences at any time through our consent management tool (see Section 9.1 below) or through your browser settings. Disabling cookies may limit the functionality of our website.

Technically necessary cookies are processed on the basis of Art. 6(1)(f) GDPR (legitimate interest). All other cookies require your consent under Art. 6(1)(a) GDPR.

9. Third-Party Services

9.1 Usercentrics Consent Management Platform (CMP)

We use Usercentrics to manage your cookie and tracking consent preferences. Usercentrics stores your consent decisions so that we can respect your choices across sessions. This processing is based on Art. 6(1)(c) GDPR (legal obligation to document consent) and Art. 6(1)(f) GDPR (legitimate interest in lawful data processing). For more information, see the Usercentrics Privacy Policy.

9.2 Google Tag Manager

We use Google Tag Manager to manage website tags. Google Tag Manager itself does not collect personal data. It triggers other tags that may collect data, but Google Tag Manager does not access this data. If tracking has been disabled at the domain or cookie level, it remains in effect for all tracking tags implemented via Google Tag Manager. For more information, see the Google Privacy Policy.

9.3 PostHog Analytics

We use PostHog for product analytics to understand how users interact with HeyMetrix and to improve our service. Our PostHog instance is hosted on EU servers, ensuring that analytics data remains within the European Union. PostHog collects anonymized usage data such as page views, feature usage, and session information. This processing is based on your consent under Art. 6(1)(a) GDPR. For more information, see the PostHog Privacy Policy.

9.4 OpenAI (AI Chat Assistant)

HeyMetrix offers an optional AI-assisted chat feature powered by OpenAI. When you use this feature, limited campaign metadata (such as campaign names, ad group names, and aggregated performance indicators) is sent to the OpenAI API to generate contextual responses. No raw performance data, personal data, or OAuth tokens are sent to OpenAI. Under OpenAI's API data usage policy, data submitted via the API is not used for model training and is not retained beyond the duration of the request. This processing is based on Art. 6(1)(b) GDPR (contract performance — providing the service feature you initiated). For more information, see the OpenAI Enterprise Privacy.

10. International Data Transfers

Our primary data processing occurs within the European Union (Hetzner servers in Germany). Some third-party services (Google Tag Manager, OpenAI) may transfer data to servers in the United States. Where such transfers occur, they are safeguarded by the EU-U.S. Data Privacy Framework, Standard Contractual Clauses (SCCs), or other appropriate safeguards under Art. 46 GDPR.

11. Your Rights Under GDPR

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access (Art. 15 GDPR): You have the right to request information about whether and which personal data we process about you.
  • Right to rectification (Art. 16 GDPR): You have the right to request correction of inaccurate personal data.
  • Right to erasure (Art. 17 GDPR): You have the right to request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction of processing (Art. 18 GDPR): You have the right to request restriction of processing under certain conditions.
  • Right to data portability (Art. 20 GDPR): You have the right to receive your personal data in a structured, commonly used, and machine-readable format.
  • Right to object (Art. 21 GDPR): You have the right to object to the processing of your personal data based on legitimate interests at any time.
  • Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
  • Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. The competent authority for us is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.

To exercise any of these rights, please contact us at [email protected].

12. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. The specific retention periods are:

  • Account data: Retained for the duration of your active account. Deleted within 30 days of account deletion.
  • Google Ads / Meta Ads data: Retained for the duration of the active connection. Deleted upon disconnection or account deletion.
  • OAuth tokens: Deleted immediately upon disconnecting the respective ad platform or deleting your account.
  • Server log files: Automatically deleted after 30 days.
  • Email correspondence: Retained until the inquiry is resolved, then deleted unless legal retention applies.
  • Billing and tax records: Retained for up to 10 years as required by German commercial and tax law (§ 147 AO, § 257 HGB).

13. Account and Data Deletion

You can delete your HeyMetrix account at any time from within the application settings. Upon account deletion:

  • All stored OAuth tokens are immediately revoked and deleted
  • All Google Ads and Meta Ads data associated with your account is deleted
  • Your account information (email, name) is deleted
  • All campaign data, reports, and monitoring configurations are deleted

This process is completed within 30 days. Data that must be retained for legal reasons (e.g., billing records) will be retained for the legally required period and then deleted. If you are unable to delete your account through the application, you may request deletion by emailing [email protected].

14. Children's Privacy

HeyMetrix is a business tool designed for professional use. We do not knowingly collect personal data from children under the age of 16. If we become aware that we have inadvertently collected data from a child, we will delete it promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify registered users of material changes via email. The current version is always available on this page.

16. Contact

If you have questions about this Privacy Policy or our data processing practices, please contact us at:

Franco Consulting GmbH
Maria-Theresia-Straße 17
89331 Burgau, Germany
Email: [email protected]