Data & Security

How we use
your data

No legal jargon. Here's exactly what we access, what we don't, and how your client data stays secure.

The short version

We connect to your analytics tools with read-only access. We pull data to generate CRO reports for your account. We don't sell it, share it, or use it for anything else. That's it.

What We Access

Read-only connections to your tools

Every integration uses read-only permissions. We cannot modify, delete, or write anything to your connected accounts. The API permissions we request literally don't allow it.

Google Analytics 4

Read-only

Page views, sessions, conversions, traffic sources, device data

Shopify

Read-only

Products, orders, theme structure, used for audit context only

Microsoft Clarity

Read-only

Session recordings, heatmaps, scroll depth, dead clicks

Hotjar

Read-only

Heatmaps, recordings, survey responses

Mouseflow

Read-only

Session replays, funnels, form analytics, friction scores

What We Never Do

Clear boundaries

Modify your analytics configuration or tracking

Write, edit, or delete anything in your connected accounts

Sell, share, or license your data to any third party

Use your data to train AI models

Store raw session recordings (we only read aggregate summaries)

Access data from accounts you haven't explicitly connected

How It Works

Your data, your reports

Connect

You connect a data source with read-only OAuth or API key. We fetch the specific metrics needed for your audit.

Analyze

Our AI reads the data to generate CRO insights, audit findings, and A/B test hypotheses, for that account only.

Stays yours

Reports belong to you. Data is never shared across accounts, used for other clients, or accessed by anyone else.

Access Control

Who can see your data

Only the account holder and team members you've explicitly invited can access your connected data and generated reports. There is no cross-account visibility. We don't look at your data either. It's processed by AI, not reviewed by humans.

You (account owner)
Your invited team members
Other Funnex users: no access
Funnex team: no access
Revoking Access

Disconnect anytime, instantly

Every integration has a disconnect button on your integrations page. One click removes all permissions immediately. We can no longer read any data from that service. No waiting period, no support ticket, no questions asked.

How to disconnect

Go to your client's settings → Integrations → click "Disconnect" next to any service. Access is revoked immediately.

Infrastructure

Built on trusted infrastructure

We run on Vercel and Supabase, both SOC 2 Type II compliant. Data is encrypted in transit (TLS) and at rest. Authentication uses industry-standard OAuth 2.0 flows and secure token storage.

SOC 2 Type II infrastructureTLS encryption in transitEncrypted at restOAuth 2.0 authentication

Questions about data security?

We're happy to walk you through our security practices in detail.

Email us at axel@funnexai.com

Last updated: March 2026