At Google, we are keenly aware of the trust you place in us and our responsibility to protect your privacy. As part of this responsibility, we let you know what information we collect when you use our products and services, why we collect it, and how we use it to improve your experience. The Google Privacy Policy describes how we treat personal information when you use Google's products and services, including Google Analytics.

Like many services, Google Analytics uses first-party cookies to report on visitor interactions. These cookies are used to store non-personally identifiable information, such as what time the current visit occurred, whether the visitor has been to the site before, and what site referred the visitor to the web page. Browsers do not share first-party cookies across domains.

For customers that have enabled the Remarketing with Google Analytics feature, a third-party DoubleClick cookie is used to enable remarketing for products like AdWords on the Google Display Network. For more information about this cookie, visit the Google Advertising Privacy FAQ. To manage your settings for this cookie and opt-out of this feature, visit the Ads Preferences Manager.

Every computer and device connected to the Internet is assigned a unique number known as an Internet protocol (IP) address. Since these numbers are usually assigned in country-based blocks, an IP address can often be used to identify the country, state, and city from which a computer is connecting to the Internet. Because IP addresses need to be used by websites in order for the Internet to function, website owners have access to the IP addresses for their visitors regardless of whether or not they use Google Analytics. Google Analytics, however, only collects the IP address of website visitors in order to provide and protect the security of the service, and to give website owners a sense of where in the world their visitors come from (also known as "IP geolocation").

Google Analytics does not share actual IP address information with Google Analytics customers. Additionally, using a method known as IP masking, website owners that use Google Analytics have the option to tell Google Analytics to only use a portion of the IP address, rather than the entire IP address, for geolocation.

As outlined in Google's privacy policy, Google Analytics protects the confidentiality of your data in several ways:

• Personal information - Information that personally identifies an individual, such as a name, email address or billing information, or other data which could be reasonably linked to such information by Google. The Google Analytics Terms of Service, which all Google Analytics customers must adhere to, prohibits the tracking or collection of this information using Google Analytics.
• No data-sharing without consent - Google Analytics data may not be shared without user consent, except under certain limited circumstances, such as when required by law.
• Ongoing investment in security - Security-dedicated engineering teams at Google guard against external threats to data. Internal access to data (e.g., by employees) is strictly regulated and subject to the Employee Access Controls and Procedures.
• Policy enforcement - Google audits compliance with its own privacy policies.

Google provides controls to Google Analytics customers and their site visitors to provide more choice on how their data is collected by Google Analytics.

For visitors that do not want their visit data used by Google Analytics, we developed the Google Analytics Opt-out Browser Add-on. Browsers that have this add-on installed communicate with the Google Analytics JavaScript to indicate that information about the website visit should not be sent to Google Analytics. The Google Analytics Opt-out Browser Add-on does not prevent information from being sent to the website itself or to other web analytics services.

Learn more about the Google Analytics Opt-out Browser Add-on.

For site owners that want to provide visitors with controls to opt in or out of having visit data from their site used by Google Analytics, we have developed an API that allows for programmatically disabling tracking on a page or across a site. This API can be used by site owners who want to build their own controls, or by third party developers who have built privacy controls for sites to implement.

Learn more about the User Privacy Control API.

Some customer sites implement the Remarketing with Google Analytics feature, which makes use of the third-party DoubleClick cookie. Users can manage their settings for this cookie and opt-out of this feature by visiting the Ads Preferences Manager.

Google Analytics data sharing settings govern whether and how Google's automated processes can access an account's data. Automated processes use the shared data to provide additional information and capabilities to the Google Analytics account. Data sharing settings may be edited, at any time, on the Account Settings page.

• Share my Google Analytics data with other Google products only: This option restricts data access to Google only, and enables integrations with products including AdWords and AdSense. Selecting this option makes it possible to, for example, import Google Analytics goals into AdWords.
• Share my Google Analytics data anonymously with Google and others: Share my Google Analytics data anonymously with Google and others: This option enables access to anonymous benchmarking reports. Google removes any information that might identify the source websites, combines the data with hundreds of other anonymous sites that use Google Analytics in comparable industries, and reports aggregate trends. Shared data is completely anonymous, and can't be tied back to individual accounts.

If you do not select either option, your data will be excluded from any automated processes that aren't specifically related to operating and improving Google Analytics or protecting the security and integrity of the data.

Learn more about about Data Sharing Options.

Customers own their Google Analytics data. Customers may export their reports at any time from Google Analytics (using the XML, PDF or CSV download options, or via the Google Analytics Core Reporting API). They may use exported data with other applications/services in conjunction with Google Analytics, or stop using Google Analytics altogether.

Customers may delete any profile within a Google Analytics account for which they have administrator access.

Google classifies Google Analytics data as confidential information. Employee access controls protect customer data from unauthorized access, and we conduct audits to ensure the controls are enforced.

• All account data is confidential and subject to the confidentiality provisions of Google's Privacy Policy.
• Access to customer-level account data may be granted on a strict need-only basis to employees who require the specific access to perform their jobs. Employees requesting access must explain why they need the access, demonstrate familiarity with the access policy and agree to its terms and conditions, and receive approval before they can access the data.
• Customer Service Representatives and support personnel may not access customer-level data without explicit permission from the customer.
• When accessing customer data, employees will restrict activity to those reports they need to complete their official duties.
• Employees may not access data using any network-enabled device not owned or approved by Google.

In web-based computing, security of both data and applications is critical. Google dedicates significant resources towards securing applications and data handling to prevent unauthorized access to data.

Data is stored in an encoded format optimized for performance, rather than stored in a traditional file system or database manner. Data is dispersed across a number of physical and logical volumes for redundancy and expedient access, thereby obfuscating it from tampering.

Google applications run in a multi-tenant, distributed environment. Rather than segregating each customer's data onto a single machine or set of machines, data from all Google customers (consumers, business, and even Google's own data) is distributed amongst a shared infrastructure composed of Google's many homogeneous machines and located in Google's data centers.

To minimize service interruption due to hardware failure, natural disaster, or other catastrophe, Google implements a comprehensive disaster recovery program at all of its data centers. This program includes multiple components to eliminate single point of failure, including the following:

Data replication and backup: To help ensure availability in the event of a disaster, Google Analytics data stored in Google's distributed file system is replicated to separate systems in different data centers.

Google operates a geographically distributed set of data centers that is designed to maintain service continuity in the event of a disaster or other incident in a single region. High-speed connections between the data centers help ensure swift failover. Management of the data centers is also distributed to provide location-independent, around-the-clock coverage, and system administration.

In addition to the redundancy of data and regionally disparate data centers, Google also has a business continuity plan for its headquarters in Mountain View, CA. This plan accounts for major disasters, such as a seismic event or a public health crisis, and it assumes people and services may be unavailable for up to 30 days. This plan is designed to enable continued operations of our services for our customers.

Google's computing clusters are designed with resiliency and redundancy in mind, helping minimize single points of failure and the impact of common equipment failures and environmental risks. Dual circuits, switches, networks, and other necessary devices are utilized to provide redundancy. Facilities infrastructure at the data centers has been designed to be robust, fault tolerant, and concurrently maintainable.