Security & Data Handling

Measure Copilot asks for the minimum evidence needed to run a measurement audit: a URL, optional files, and optional notes. Users should not upload unnecessary sensitive information.

Uploaded GTM JSON, GA4 CSV, acquisition CSV, backend orders CSV, tracking plan CSV, and extension evidence JSON are processed to generate the audit report. The product is designed so raw uploaded files are not retained after processing unless explicitly stated otherwise.

Generated audit reports are stored with unique IDs so users can revisit results. Reports are designed to expire after 7 days.

Authentication is handled through Supabase Auth. Payments, when enabled, are handled by Stripe. Measure Copilot does not store card numbers or bank details.

Administrative access is limited to people who need it to operate and support the product. Production secrets are managed through hosting and provider environment variables.

Measure Copilot does not currently claim SOC 2, ISO 27001, HIPAA, PCI DSS service-provider certification, or enterprise penetration-test coverage. Those controls may be added later as the product matures.

Report security concerns to hi@measurecopilot.com with enough detail for us to reproduce or assess the issue.

Our security roadmap is informed by practical guidance such as the FTC's business security resources and cloud provider best practices, but this page describes only controls actually implemented or planned for Measure Copilot.