Privacy Policy
How we collect, use and protect your data. Last updated: May 11, 2026.
Sommaire
Preamble
Gaating is an online service that allows content creators and digital entrepreneurs to transform any link into an email capture page ("the Service"). This policy explains what data we collect about you and about visitors to your pages, why, with whom it is shared and how long it is kept.
This policy complies with the General Data Protection Regulation (GDPR), the French Data Protection Act, as well as the specific requirements of the Google API Services User Data Policy.
Data controller
The controller of data collected via the Service is:
- Gaating — publisher of the Service
- Email: hello@gaating.com
- Full contact details: see Legal Notice
Data collected
A. Data from your Gaating account
- Email (for authentication via Supabase magic link)
- First name and last name if you provide them during onboarding (optional)
- Session cookies issued by Supabase Auth to keep you logged in
B. Data related to the use of the Service
- Links created: title, public slug, destination URL, description, capture field configuration, status (active / paused), creation date
- Configured connectors: type (Brevo / Google Sheets / etc.), email of the remote account, displayable labels (list name, Sheet name), encrypted API keys and tokens (cf. Security section)
- Send logs: success / failure of each lead dispatch to a third-party tool (Brevo, Sheets, etc.), with error message where applicable
C. Data of visitors to your capture pages
When a visitor accesses and submits the form, we collect: gaating.com/<slug>
- The fields explicitly entered (email, first name, phone according to your configuration)
- The consent ticked if the checkbox is activated
- Minimal technical metadata: browser user-agent, referer (URL of origin of the click), IP address (used only for anti-bot click counting, not resold)
- A click counter on the page to calculate your conversion rate
Purposes of processing
Your data is used only to:
- Provide you with the Service (link creation, capture page, dashboard, exports — legal basis: performance of the contract)
- Route your leads to your connected tools (Brevo, Sheets, etc. — legal basis: performance of the contract)
- Contact you for essential information about the Service or support (legal basis: legitimate interest)
- Improve the product by analyzing anonymized statistics (legal basis: legitimate interest)
We never sell your data. We do not share your data with advertisers or data brokers.
Use of Google API data
When you connect your Google account to Gaating to use the Google Sheets connector, we access the following data via the Google APIs, with your explicit authorization via the OAuth 2.0 flow:
| Requested scope | Why | Google classification |
|---|---|---|
| drive.file | Per-file access. Allows only reading and writing in the Google Sheets that you explicitly select via the Google Picker. No access to other files in your Drive. | Non-sensitive |
| userinfo.email, profile | Display your connected Google email for identification in Gaating | Non-sensitive |
- Google data is used only to provide the Service features explicitly requested by you (list your Sheets, write leads into them)
- We do not transfer Google data to third parties, except as necessary to provide the Service or as required by law
- We do not use Google data for personalized advertising
- We do not allow humans to read your Google data unless you give explicit consent, if it is necessary for security, to comply with the law, or for internal operations in anonymized and aggregated form
What we store on the Gaating side
- An encrypted Google refresh token (AES-256-GCM with a master key on the server side) — this token allows generating a temporary access token at each lead dispatch
- Your connected Google email address
- Per link: the ID of the Sheet and the name of the target tab (not the content of the Sheet)
- Send logs: status (success / failure), Google HTTP return code, error message where applicable
How to revoke Google access
You can at any time:
- Click on Disconnect Google in /app/connectors/googlesheets — this deletes the encrypted refresh token from our DB
- Revoke access directly on myaccount.google.com/permissions — this immediately invalidates the refresh token on the Google side
Processors and data sharing
To run the Service, we use the following processors. Each processes your data only to provide a technical service to Gaating, within the framework of a processing agreement compliant with article 28 of the GDPR.
| Processor | Role | Location |
|---|---|---|
| Supabase | Database + authentication | EU (Frankfurt) |
| Vercel | App hosting | EU + USA |
| Resend / SendGrid | Sending of transactional emails (magic links) | USA |
| Brevo, Mailchimp, Google, etc. | If you activate a connector, your leads are transmitted to these services at your request | Variable |
Transfers to processors outside the EU are framed by the Standard Contractual Clauses (SCC) of the European Commission or by an adequacy decision.
Retention period
- User account: as long as your account is active. Deletion on request within 30 days.
- Links and leads: kept as long as your account is active. Upon deletion of the account, your links are deleted (DB cascade) and your leads with them.
- Refresh tokens and connector API keys: as long as the connector is active. Deleted immediately upon disconnection.
- Dispatch logs: 90 days, then automatically purged.
- Server logs (Vercel): 7 days, managed by Vercel.
Your rights
In accordance with the GDPR, you have the following rights:
- Right of access: obtain a copy of the data concerning you
- Right of rectification: correct inaccurate data
- Right to erasure: request the deletion of your account and data
- Right to portability: retrieve your data in a readable format (CSV export of leads available at any time in the app)
- Right to object: object to certain processing
- Right to restriction: temporarily freeze processing
- Right to withdraw your consent at any time
- Right to lodge a complaint with the CNIL: cnil.fr/fr/plaintes
To exercise these rights, contact us at hello@gaating.com.
Security
- All communications with Gaating are encrypted in HTTPS (TLS 1.2+)
- Third-party API keys (Brevo) and OAuth refresh tokens (Google) are encrypted in the database with AES-256-GCM, master key stored outside the database in our environment variables
- Postgres Row Level Security enabled on all tables to ensure that a user only accesses their own data
- Authentication via magic link (passwordless) — no password to hack
- Regular audit of dependencies for known CVEs
In the event of a data breach affecting your personal information, we will notify you and the CNIL in accordance with article 33 of the GDPR within 72 hours.
Data transfers outside the EU
Some of our processors (Vercel, Google) are based in the United States. Transfers to these processors are framed by the Standard Contractual Clauses (SCC) approved by the European Commission in June 2021, as well as by the Data Privacy Framework for those who adhere to it.
No data is transferred to a country without an adequate protection mechanism.
Modifications of the policy
This policy may be updated to reflect the evolution of the Service, the law or our practices. The date of last modification is indicated at the top of this page. For substantial modifications, we will notify you by email before entry into force.
Contact
For any question relating to this policy or your personal data:
- Email: hello@gaating.com
- See also our Legal Notice and Terms of Service

