Back to home

Privacy Policy

How we collect, use and protect your data. Last updated: May 11, 2026.

Sommaire
Overview

Preamble

Gaating is an online service that allows content creators and digital entrepreneurs to transform any link into an email capture page ("the Service"). This policy explains what data we collect about you and about visitors to your pages, why, with whom it is shared and how long it is kept.

This policy complies with the General Data Protection Regulation (GDPR), the French Data Protection Act, as well as the specific requirements of the Google API Services User Data Policy.

Who are we?

Data controller

The controller of data collected via the Service is:

  • Gaating — publisher of the Service
  • Email: hello@gaating.com
  • Full contact details: see Legal Notice
What we collect

Data collected

A. Data from your Gaating account

  • Email (for authentication via Supabase magic link)
  • First name and last name if you provide them during onboarding (optional)
  • Session cookies issued by Supabase Auth to keep you logged in

C. Data of visitors to your capture pages

When a visitor accesses and submits the form, we collect: gaating.com/<slug>

  • The fields explicitly entered (email, first name, phone according to your configuration)
  • The consent ticked if the checkbox is activated
  • Minimal technical metadata: browser user-agent, referer (URL of origin of the click), IP address (used only for anti-bot click counting, not resold)
  • A click counter on the page to calculate your conversion rate

You are joint controller

As the creator of capture pages, you are joint controller with Gaating with regard to the leads you collect. It is up to you to obtain their consent, to provide them with clear information on the intended use, and to respect their rights.
Why we collect

Purposes of processing

Your data is used only to:

  • Provide you with the Service (link creation, capture page, dashboard, exports — legal basis: performance of the contract)
  • Route your leads to your connected tools (Brevo, Sheets, etc. — legal basis: performance of the contract)
  • Contact you for essential information about the Service or support (legal basis: legitimate interest)
  • Improve the product by analyzing anonymized statistics (legal basis: legitimate interest)

We never sell your data. We do not share your data with advertisers or data brokers.

Google specific

Use of Google API data

When you connect your Google account to Gaating to use the Google Sheets connector, we access the following data via the Google APIs, with your explicit authorization via the OAuth 2.0 flow:

Requested scopeWhyGoogle classification
drive.filePer-file access. Allows only reading and writing in the Google Sheets that you explicitly select via the Google Picker. No access to other files in your Drive.Non-sensitive
userinfo.email, profileDisplay your connected Google email for identification in GaatingNon-sensitive

No sensitive scope

Gaating has chosen to use no "sensitive" scope at Google. Concretely: we cannot list your Drive, nor read random files. We only see the Sheets you designate one by one via the Picker.

Google API Services User Data Policy — Limited Use

Gaating's use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. Concretely, this means that:
  • Google data is used only to provide the Service features explicitly requested by you (list your Sheets, write leads into them)
  • We do not transfer Google data to third parties, except as necessary to provide the Service or as required by law
  • We do not use Google data for personalized advertising
  • We do not allow humans to read your Google data unless you give explicit consent, if it is necessary for security, to comply with the law, or for internal operations in anonymized and aggregated form

What we store on the Gaating side

  • An encrypted Google refresh token (AES-256-GCM with a master key on the server side) — this token allows generating a temporary access token at each lead dispatch
  • Your connected Google email address
  • Per link: the ID of the Sheet and the name of the target tab (not the content of the Sheet)
  • Send logs: status (success / failure), Google HTTP return code, error message where applicable

How to revoke Google access

You can at any time:

  • Click on Disconnect Google in /app/connectors/googlesheets — this deletes the encrypted refresh token from our DB
  • Revoke access directly on myaccount.google.com/permissions — this immediately invalidates the refresh token on the Google side
With whom

Processors and data sharing

To run the Service, we use the following processors. Each processes your data only to provide a technical service to Gaating, within the framework of a processing agreement compliant with article 28 of the GDPR.

ProcessorRoleLocation
SupabaseDatabase + authenticationEU (Frankfurt)
VercelApp hostingEU + USA
Resend / SendGridSending of transactional emails (magic links)USA
Brevo, Mailchimp, Google, etc.If you activate a connector, your leads are transmitted to these services at your requestVariable

Transfers to processors outside the EU are framed by the Standard Contractual Clauses (SCC) of the European Commission or by an adequacy decision.

How long

Retention period

  • User account: as long as your account is active. Deletion on request within 30 days.
  • Links and leads: kept as long as your account is active. Upon deletion of the account, your links are deleted (DB cascade) and your leads with them.
  • Refresh tokens and connector API keys: as long as the connector is active. Deleted immediately upon disconnection.
  • Dispatch logs: 90 days, then automatically purged.
  • Server logs (Vercel): 7 days, managed by Vercel.
GDPR

Your rights

In accordance with the GDPR, you have the following rights:

  • Right of access: obtain a copy of the data concerning you
  • Right of rectification: correct inaccurate data
  • Right to erasure: request the deletion of your account and data
  • Right to portability: retrieve your data in a readable format (CSV export of leads available at any time in the app)
  • Right to object: object to certain processing
  • Right to restriction: temporarily freeze processing
  • Right to withdraw your consent at any time
  • Right to lodge a complaint with the CNIL: cnil.fr/fr/plaintes

To exercise these rights, contact us at hello@gaating.com.

How we protect

Security

  • All communications with Gaating are encrypted in HTTPS (TLS 1.2+)
  • Third-party API keys (Brevo) and OAuth refresh tokens (Google) are encrypted in the database with AES-256-GCM, master key stored outside the database in our environment variables
  • Postgres Row Level Security enabled on all tables to ensure that a user only accesses their own data
  • Authentication via magic link (passwordless) — no password to hack
  • Regular audit of dependencies for known CVEs

In the event of a data breach affecting your personal information, we will notify you and the CNIL in accordance with article 33 of the GDPR within 72 hours.

Cookies

Cookies and trackers

Gaating uses a minimal number of cookies strictly necessary for the operation of the Service:

  • Supabase session cookies: to keep you logged in between pages. Duration: session or 30 days depending on "remember me".
  • OAuth state cookie: placed temporarily during the Google OAuth flow to protect against CSRF. Duration: 10 minutes max.

No advertising or third-party tracking cookies. No Google Analytics, no Meta pixel. Consent is therefore not required (cookies strictly necessary within the meaning of the ePrivacy directive).

International

Data transfers outside the EU

Some of our processors (Vercel, Google) are based in the United States. Transfers to these processors are framed by the Standard Contractual Clauses (SCC) approved by the European Commission in June 2021, as well as by the Data Privacy Framework for those who adhere to it.

No data is transferred to a country without an adequate protection mechanism.

Evolutions

Modifications of the policy

This policy may be updated to reflect the evolution of the Service, the law or our practices. The date of last modification is indicated at the top of this page. For substantial modifications, we will notify you by email before entry into force.

A question?

Contact

For any question relating to this policy or your personal data:

  • Email: hello@gaating.com
  • See also our Legal Notice and Terms of Service