Privacy Policy
MagicMetrics S.r.l.s. – Via di Salviano 567/C – 57124 – Livorno (LI) – Italy
VAT: 02099470490
DPO: Michele Pisani – privacy@magicmetrics.ai
Last updated: May 2026
1. Who We Are
MagicMetrics S.r.l.s. ("MagicMetrics", "we") develops and operates Magic Reports, a Google Sheets add-on that allows users to retrieve and display data from connected analytics sources. This Privacy Policy describes what personal data we collect, how we use it, and what rights you have under Regulation (EU) 2016/679 ("GDPR").
2. Data We Collect
2.1 Account data: email address; name and surname (if provided); password in encrypted form (bcrypt algorithm).
2.2 Billing data: name or company name, address, VAT number or tax code. Credit card details do not pass through or get stored on our servers: they are managed exclusively by Stripe Inc. (PCI-DSS).
2.3 OAuth access tokens. MagicMetrics manages OAuth tokens differently depending on the connector.
Direct connectors (GA4, Google Search Console, Google AdSense, YouTube Analytics): the OAuth token passes through MagicMetrics servers exclusively at the time of the initial connection authorisation. Thereafter, it is stored in encrypted form solely to enable automatic token refresh without requiring a new manual authorisation. API calls to data sources occur directly between the user's Google Sheets and Google's servers: analytics data never passes through MagicMetrics servers.
Server-side connectors (Google Ads and connectors requiring reserved credentials): the OAuth token and required credentials are stored in encrypted form in our database for the entire duration of the active connection. API calls to these sources pass through MagicMetrics servers, which act as an authenticated proxy. Data is processed exclusively in volatile memory for the technical duration of the response and is never stored.
In both cases, you can revoke access at any time from the dashboard or directly from the Google security panel.
Encryption in transit: all communications between Google Sheets, MagicMetrics servers, and Google APIs occur exclusively over HTTPS/TLS.
Encryption measures: OAuth tokens and associated email addresses are encrypted at the application layer using the XSalsa20-Poly1305 algorithm (Sodium library), with a unique nonce generated for each record, before being stored in the database. To allow lookups without decrypting stored data, a keyed blind index based on HMAC-SHA256 is additionally generated alongside the encrypted email: a one-way, key-dependent value used solely for internal matching, which cannot be used to recover the original email without the encryption key. This encryption is in addition to the native storage encryption provided by Google Cloud SQL.
2.4 Connection metadata: for each authorised connection we store the email address of the connected account, a unique connection identifier, the connector type, and the authorisation date.
2.5 Usage data: we record the execution counter per account to verify plan limits. We do not record the content of reports or retrieved analytics data.
2.6 Technical logs: IP addresses, timestamps, HTTP response codes. Retained for a maximum of 30 days for security and monitoring purposes.
3. Analytics Data from Connected Sources
Direct connectors (GA4, Search Console, AdSense, YouTube): analytics data does not pass through MagicMetrics servers in any way. The flow is as follows: Google Sheets obtains the token from the MagicMetrics server, then calls the Google APIs directly. Data travels from Google to Google Sheets without passing through MagicMetrics. MagicMetrics does not see, process, or store such data in any form.
Server-side connectors (Google Ads): data passes through MagicMetrics servers in volatile memory for the sole technical duration of the response. It is never written to disk or stored in a database.
In both cases, the processing, aggregation, and display of data takes place entirely within Google Sheets, under the user's exclusive control and subject to Google's policies.
4. Legal Bases and Purposes of Processing
Provision of the Service: performance of contract (Art. 6.1.b GDPR).
Account management and authentication: performance of contract (Art. 6.1.b GDPR).
Billing and tax obligations: legal obligation (Art. 6.1.c GDPR).
Security and fraud prevention: legitimate interest (Art. 6.1.f GDPR).
Service communications: performance of contract (Art. 6.1.b GDPR).
Promotional communications: consent (Art. 6.1.a GDPR).
We do not use data for profiling, behavioural advertising, or purposes other than those indicated.
5. Data Sharing
We do not sell or transfer your personal data to third parties for commercial purposes. We share data exclusively with: Stripe Inc. (payment processing, USA, safeguards: SCC, PCI-DSS); Google Cloud Platform (hosting infrastructure, EU, safeguards: SCC, ISO 27001); Google LLC (data source APIs, USA, safeguards: SCC).
6. International Transfers
MagicMetrics' servers are physically located in Italy (Milan), within the European Union. Transfers to third countries take place exclusively through Standard Contractual Clauses (SCC) approved by the European Commission pursuant to Art. 46 GDPR.
7. Data Retention
Account data: duration of the relationship + 2 years.
Billing data: 10 years (Italian tax obligation).
OAuth tokens: duration of the active connection.
Connection metadata: duration of the relationship + 2 years.
Technical logs: 30 days.
Analytics data: not stored.
Account configuration after inactive Trial: 90 days.
8. Your Rights
Under the GDPR you have the right to: Access (Art. 15) — obtain confirmation of processing and a copy of your data; Rectification (Art. 16) — correct inaccurate or incomplete data; Erasure (Art. 17) — obtain deletion ("right to be forgotten"); Restriction (Art. 18) — restrict processing in certain cases; Portability (Art. 20) — receive data in a structured, machine-readable format; Objection (Art. 21) — object to processing based on legitimate interest; Withdrawal of consent — withdraw consent at any time, without affecting the lawfulness of prior processing.
To exercise your rights: privacy@magicmetrics.ai. We will respond within 30 days, extendable by a further 60 days in particularly complex cases. You also have the right to lodge a complaint with the Italian Data Protection Authority: garanteprivacy.it.
9. Data Security Breaches
In the event of a security breach that poses a risk to the rights and freedoms of data subjects, MagicMetrics notifies the competent Data Protection Authority within 72 hours of becoming aware of the breach, pursuant to Art. 33 GDPR. Where the breach is likely to result in a high risk to the rights of data subjects, affected users will be informed without undue delay via email, pursuant to Art. 34 GDPR.
10. Minors
The Service is not intended for persons under the age of 18. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact us at privacy@magicmetrics.ai.
11. Cookies
For cookie management, please refer to the Cookie Policy available at magicmetrics.ai/cookie-policy.
12. Changes to This Policy
Material changes will be communicated by email with at least 30 days' notice. The updated version is always available at magicmetrics.ai/privacy-policy with the date of the last update indicated.
13. "Magic Reports" Spreadsheet addon: Access Permissions and Data Usage
Magic Reports requires certain Google access permissions to function properly. Below is a full list of the authorization scopes requested and an explanation of how each is used.
Magic Reports only accesses data strictly necessary to provide the service. No data is shared with third parties for commercial or advertising purposes. Data retrieved from connected platforms (e.g. Google Ads, Meta, GA4) is written directly to the user's Google Sheet and is not stored on our servers. Magic Reports only stores encrypted access tokens required to authenticate requests to connected platforms on behalf of the user. These tokens are never shared with third parties.
| Permission | Usage |
|---|---|
Google Sheets (spreadsheets.currentonly) |
Read and write data in the active Google Sheet to insert the reports requested by the user. |
External requests (script.external_request) |
Make API calls to connected platforms (e.g. Google Ads, Meta Ads, GA4) to retrieve reporting data. |
User interface (script.container.ui) |
Display the Magic Reports side panel and menus inside Google Sheets. |
Email and profile (userinfo.email, userinfo.profile, openid) |
Identify the user to manage the session and associate connections with their Magic Reports account. |
Send email (gmail.send) |
Send the report by email to the address specified by the user in the report configurator, on behalf of the user. |
Triggers and automations (script.scriptapp) |
Create and manage triggers for automatic and scheduled report refreshes. |
Google Analytics (analytics.readonly) |
Retrieve Google Analytics 4 report data (dimensions and metrics selected by the user) to populate reports in the Google Sheet. No Analytics configuration is modified. |
Google Ads (adwords) |
Retrieve Google Ads campaign performance data for reporting purposes only. The Google Ads API does not offer a narrower read-only scope; Magic Reports never creates, edits, or deletes Ads campaigns or account settings. |
YouTube (youtube.readonly) |
Retrieve channel and video metadata (titles, IDs) to populate the source picker used to configure YouTube reports. |
YouTube Analytics (yt-analytics.readonly) |
Retrieve YouTube Analytics performance metrics (views, watch time, engagement) for reporting purposes. Monetary/revenue data is never accessed. |
Search Console (webmasters.readonly) |
Retrieve Search Console performance data (queries, clicks, impressions, position) for verified sites owned by the user, for reporting purposes only. |
AdSense (adsense.readonly) |
Retrieve AdSense earnings and performance data for reporting purposes only. No AdSense account settings are modified. |
The reporting tool that actually works, and always has.
Every connector comes with a 14-day free trial. No credit card required, no automatic renewal. Try it at your own pace.