← Back to Insight

Privacy Policy

Last updated: 8 April 2026

1. Who we are

Insight is an eCommerce analytics dashboard operated by Tom&Co, a company registered in England and Wales. Our registered address is available on request by contacting us at the email address below.

For the purposes of UK data protection legislation (the UK General Data Protection Regulation and the Data Protection Act 2018), Tom&Co is the data controller.

2. What data we collect

When you use Insight we may collect and process the following personal data:

  • Account information — your name and email address, obtained when you sign in with Google.
  • Google Analytics data — if you choose to connect a Google Analytics property, we access analytics data (e.g. page views, sessions, revenue metrics) via the Google Analytics Data API using the analytics.readonly scope. We do not modify your Google Analytics configuration.
  • Usage data — technical information such as your IP address, browser type, and pages visited within the dashboard, collected automatically for security and service-improvement purposes.

3. How we use your data

We use the data we collect to:

  • Authenticate you and manage your account.
  • Display aggregated eCommerce analytics within the dashboard.
  • Improve and maintain the service.
  • Comply with legal obligations.

Our lawful bases for processing under UK GDPR are: performance of a contract (providing the service you signed up for), legitimate interests (improving and securing the service), and compliance with legal obligations where applicable.

4. Google user data

When you connect Google Analytics, we store an OAuth refresh token so that we can fetch analytics data on your behalf. We do not share, sell, or transfer your Google user data to any third party except as necessary to provide the service (e.g. cloud infrastructure providers). Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

You can revoke Insight's access to your Google account at any time via your Google Account permissions page, or by using the disconnect option within the dashboard.

5. Data storage and security

Your data is stored on Google Cloud infrastructure (Firebase, BigQuery) located in the europe-west2 (London) region. We implement appropriate technical and organisational measures to protect your personal data, including encryption in transit (TLS) and at rest, role-based access controls, and secure credential storage via Google Cloud Secret Manager.

6. Data sharing

We do not sell your personal data. We may share data with:

  • Cloud infrastructure providers (Google Cloud Platform) for hosting and data processing.
  • Law enforcement or regulatory bodies where required by law.

7. Data retention

We retain your account data for as long as your account is active. Analytics data is retained in accordance with your organisation's data retention settings. When you delete your account or disconnect a data source, associated credentials are removed promptly.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate personal data.
  • Request erasure of your personal data.
  • Restrict or object to processing.
  • Data portability.
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

9. Cookies

Insight uses essential cookies and local storage for authentication and session management. We do not use third-party advertising or tracking cookies.

10. Changes to this policy

We may update this privacy policy from time to time. We will notify you of significant changes by posting a notice within the dashboard. The “last updated” date at the top of this page indicates when the policy was last revised.

11. Contact us

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us at: admin@tomandco.co.uk