Privacy Policy
Effective date: 15 April 2026 Last updated: 19 April 2026
This Privacy Policy describes how Norelabs (“we”, “us”, “our”) collects, uses, and shares personal data when you use the mobile-metrix service available at https://mobile-metrix.norelabs.com and related APIs (the “Service”).
1. Data Controller
The data controller is:
Norelabs — sole proprietorship registered in Poland Contact: support@norelabs.com
As a controller established in the European Union, we process personal data in accordance with Regulation (EU) 2016/679 (the “GDPR”) and the Polish Act on the Protection of Personal Data of 10 May 2018.
2. What Data We Collect
2.1 Data you provide directly
- Email address — collected at checkout by our payment processor (Stripe) when you purchase a subscription.
- OAuth authorization tokens — when you connect a third-party account (Google Analytics (GA4), Google Ads, Google Play Console, RevenueCat, or Apple Search Ads), we receive access and refresh tokens that allow the Service to read analytics data on your behalf. We do not receive your passwords.
- Support correspondence — any messages you send to support@norelabs.com.
2.2 Data generated automatically
- Install identifier — a random UUID (
install_id) created on your device the first time you use the Service. It is not linked to your real identity unless you subscribe. - License binding — a hash of device information (operating system, hostname) stored alongside your
install_idto enforce the three-device limit described in our Terms of Use. - Usage logs — timestamps, tool names, and query parameters sent to our backend when you invoke a Service feature. These logs do not include the content of the analytics data we return to you.
- Technical logs — IP address, user agent, and request metadata collected by our hosting provider (Google Firebase) for security, abuse prevention, and debugging. IP addresses are truncated or deleted within 30 days.
2.3 Data fetched from third-party platforms on your behalf
When you connect Google Analytics (GA4), Google Ads, Google Play Console, RevenueCat, or Apple Search Ads, the Service queries analytics data from those platforms using the OAuth tokens you provided. We do not permanently store this analytics data; it is fetched on demand, returned to your AI client (for example Claude Code), and discarded.
We do not collect special categories of personal data (health, biometric, religious, political, etc.).
3. Why We Process Your Data (Legal Bases)
| Purpose | Legal basis under GDPR Art. 6 |
|---|---|
| Providing the core Service (authenticating you, running queries on connected platforms, enforcing subscription limits) | Performance of a contract — Art. 6(1)(b) |
| Processing payments and preventing fraud | Performance of a contract and legal obligation — Art. 6(1)(b), (c) |
| Keeping security, technical, and abuse-prevention logs | Legitimate interest in operating a secure service — Art. 6(1)(f) |
| Responding to support requests | Legitimate interest and, where applicable, contract — Art. 6(1)(b), (f) |
| Complying with Polish tax and accounting law | Legal obligation — Art. 6(1)(c) |
4. Who We Share Data With (Processors and Partners)
We use the following categories of service providers, who act as processors on our behalf:
- Google LLC / Google Ireland Ltd. — Firebase Hosting, Firebase Functions, and Firestore (infrastructure). We also act as an OAuth 2.0 client of Google APIs to read, on your behalf, data from Google Analytics, Google Ads, and Google Play Console. We do not share your data with Google beyond what Google already receives as the data provider. Servers are located in the European Union and the United States. Google’s own privacy policy applies to their handling of your Google account data: https://policies.google.com/privacy
- Stripe Payments Europe, Ltd. — payment processing and subscription billing. Stripe is the controller of payment-card data.
- RevenueCat, Inc. — when you connect RevenueCat, its privacy policy applies to its own processing: https://www.revenuecat.com/privacy
- Apple Inc. — when you connect Apple Search Ads, its privacy policy applies to its own processing: https://www.apple.com/legal/privacy/
We do not sell personal data. We do not share personal data for advertising or profiling purposes.
5. International Data Transfers
Some of our processors (in particular Google Cloud and Stripe) operate infrastructure outside the European Economic Area. Where personal data is transferred to a third country, the transfer is protected by the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914), together with supplementary measures where required.
6. How Long We Keep Data
| Data | Retention |
|---|---|
| OAuth tokens | Until you disconnect the integration or delete your install |
| Install identifier and license binding | Until you request deletion or 24 months of inactivity, whichever comes first |
| Subscription and billing records | 5 years after the end of the relevant tax year, as required by Polish law |
| Technical logs | Up to 30 days |
| Usage logs | Up to 12 months |
| Support correspondence | 24 months after resolution |
When a retention period ends, data is either permanently deleted or irreversibly anonymised.
7. Your Rights
Under the GDPR you have the right to:
- access your personal data and obtain a copy (Art. 15);
- request rectification of inaccurate data (Art. 16);
- request erasure (“right to be forgotten”, Art. 17);
- restrict processing (Art. 18);
- data portability (Art. 20);
- object to processing based on legitimate interest (Art. 21);
- withdraw consent at any time where processing is based on consent (Art. 7), without affecting the lawfulness of prior processing.
To exercise any of these rights, email support@norelabs.com. We will respond within one month, extendable by two further months where necessary. If you believe your rights have been infringed, you may lodge a complaint with the Polish supervisory authority:
Prezes Urzędu Ochrony Danych Osobowych (UODO) ul. Stawki 2, 00-193 Warszawa, Poland https://uodo.gov.pl
8. Google User Data & Scopes
When you connect a Google account, we request the minimum scopes needed for reporting. We access this data only to return it to you via the Service; we do not use it for any other purpose.
| Scope | What we access | Why |
|---|---|---|
https://www.googleapis.com/auth/analytics.readonly | Your Google Analytics 4 reports (metrics, dimensions, events) | Surface analytics data via AI assistant queries |
https://www.googleapis.com/auth/adwords | Your Google Ads campaign metrics (impressions, clicks, cost, conversions) | Report ad spend and correlate with in-app revenue. Read-only — we do not create, modify, or delete campaigns. |
https://www.googleapis.com/auth/androidpublisher | Your Google Play Console data | Report on Android app performance |
https://www.googleapis.com/auth/playdeveloperreporting | Play Console aggregate reports | Surface Play Console metrics via AI assistant queries |
Limited Use disclosure: Mobile Metrix’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
9. Security
We apply industry-standard technical and organisational measures to protect your data, including encryption in transit (TLS 1.2+), encryption at rest for OAuth tokens, access controls, and the principle of least privilege. No system is perfectly secure; you use the Service at your own risk.
10. Children
The Service is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has provided us with personal data, please contact support@norelabs.com.
11. Cookies and Similar Technologies
The website https://mobile-metrix.norelabs.com uses only strictly necessary cookies required to operate authentication and payment flows. We do not use advertising cookies or third-party analytics trackers on the marketing website.
12. Automated Decision-Making
We do not make decisions about you based solely on automated processing that produce legal or similarly significant effects.
13. How to Revoke Access
You can disconnect any connected integration at any time:
- In the Service: visit your manage page and click “Disconnect” next to the integration. This revokes the token on our server and deletes it from our database.
- At Google: visit Google Account permissions to revoke access directly from Google’s side, which invalidates any tokens regardless of our server.
When you disconnect, we delete the associated OAuth refresh token from our database within 7 days. Cached query data (if any) is also deleted.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be announced on the website at least 14 days before they take effect and, where we have your email address, by email. The “Last updated” date at the top of this page reflects the most recent revision.
15. Contact
Questions, requests, and complaints regarding this Privacy Policy:
Norelabs — sole proprietorship, Poland Email: support@norelabs.com