Privacy Policy

About this notice

The GTM Script Installer ("the App") is operated by the Triptease Group (Triptease Ltd, Triptease Inc. and Triptease Pte Ltd, registered with the UK Information Commissioner's Office under number ZA377297, with registered office at Working From Southwark, 32 Blackfriars Rd, London SE1 8PB).

This notice supplements the Triptease Privacy Policy and describes only the specifics of how the App accesses, uses, stores and shares Google user data. For data subject rights under GDPR (access, rectification, erasure, portability, objection, etc.), the wider security framework, international transfers, retention defaults and children's privacy, please refer to the main policy.

Google user data we access

The App uses Google OAuth 2.0 to authenticate you and to call the Google Tag Manager API on your behalf. When you log in, we request the following OAuth scopes:

• userinfo.email — to obtain your Google email address, used as your session identifier and recorded in our operational logs.
• tagmanager.manage.accounts — to list the GTM accounts and containers your Google account has access to.
• tagmanager.edit.containers — to read containers and workspaces and to create the Triptease integration tag.
• tagmanager.edit.containerversions — to create a new container version that includes the Triptease integration tag.
• tagmanager.publish — to publish the new container version so the Triptease script becomes live on your website.

We do not access any other Google user data. We do not call any other Google API outside the scopes listed above.

How we use Google user data

We use Google user data only to perform the actions you explicitly request inside the App: listing your GTM accounts, creating the Triptease integration tag in the workspace you select, creating a container version, and publishing it.

We do not use Google user data for advertising, retargeting, profiling, credit assessment, training machine-learning models, or any purpose unrelated to installing the Triptease integration script.

Limited Use of Google user data

The App's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• We only use Google user data to provide the user-facing installation feature described above and visible in the App's interface.
• We do not transfer Google user data to third parties except (a) as necessary to provide and operate the user-facing feature, (b) for security purposes, (c) to comply with applicable law, or (d) as part of a merger or acquisition with prior user consent.
• We do not allow humans to read Google user data, except (a) with your explicit consent for specific data, (b) for security purposes, (c) to comply with applicable law, or (d) where the data has been aggregated and anonymised for internal operations.
• We do not sell Google user data, and we do not use it for serving or improving advertising.

Data storage and protection

Triptease takes appropriate technical and organisational measures to protect Google user data against loss, misuse and unauthorised access. Specifically for this App:

• All communication between your browser, the App and Google's APIs is encrypted in transit.
• OAuth tokens issued by Google are stored only in a signed, HTTP-only, secure session cookie set on your browser. They are not written to any server-side database, file system or third-party store. The session expires automatically after 2 days of inactivity, after which you must re-authenticate.
• We do not maintain a server-side database, cache or file-system store for Google user data. The contents of your GTM accounts, containers, workspaces and tags are processed only for the duration of an in-flight request and discarded immediately afterwards.
• Server-side credentials are held in a managed secrets store and encrypted at rest. Only the App's dedicated service account can read them.
• OAuth tokens are never written to application logs. Access to operational logs is restricted to authorised Triptease staff who authenticate via Triptease's single sign-on.
• Should we become aware of any unauthorised access to user data, we will notify affected users without undue delay, in line with applicable data-protection law.

The App is hosted on Google Cloud Platform in the United States. Because Triptease is based in the UK, this involves an international transfer of personal data; the safeguards described in section "International transfer of data" of the Triptease Privacy Policy apply.

Sharing and processors

We do not sell or trade Google user data. We share limited data with the following processors strictly to operate the App:

• Google LLC — provides the OAuth and Tag Manager APIs the App calls, and hosts the App via Google Cloud Run and Google Secret Manager.
• Datadog, Inc. — receives operational logs that include your Google email, the Triptease integration ID, and the target container, used to diagnose installation failures and provide support.
• FullStory, Inc. — records your interactions with the App's interface (clicks, navigation, page content) for usability analysis. See FullStory's Privacy Policy for details.

Cookies

The App sets a single session cookie to maintain your authenticated session, as described in the storage section above. We do not set tracking, analytics or advertising cookies from the App itself.

Revoking access and deleting your data

You can stop the App from accessing your Google account at any time and request deletion of any data we hold about you. Three options:

1. Log out of the App. Visit /logout to invalidate your session immediately. Your session cookie is destroyed and the App can no longer call Google APIs on your behalf.
2. Revoke OAuth access at Google. Visit your Google Account Permissions page and remove "GTM Script Installer". Google will invalidate the tokens previously issued to the App.
3. Request deletion from Triptease. Email data-privacy@triptease.com asking us to delete operational records about your usage of the App (Datadog logs, FullStory recordings). We will respond within one month of receiving your request, in line with the Triptease Privacy Policy.

Contact

For any question about this notice, your data, or to exercise any of the rights described in the Triptease Privacy Policy , contact us at data-privacy@triptease.com.

Triptease, Working From Southwark, 32 Blackfriars Rd, London SE1 8PB.