Privacy policy

Last updated: March 3, 2026

Kirro ("we", "us", "our") is an A/B testing platform that helps website owners run experiments and improve their pages. This policy explains what data we collect, how we use it, and how you can control it.

1. What we collect

Account information
When you sign up, we collect your name and email address through Google Sign-In. We use this to create and manage your account.
Website and test data
When you create A/B tests, we store the visual changes you make (CSS selectors, style edits, image replacements) and aggregate test results (visitor counts, conversion rates). We do not collect personally identifiable information about your website visitors.
Usage data
We collect basic usage information such as pages visited within the Kirro dashboard, feature usage, and error logs to improve the product.

2. Google API data

Kirro integrates with Google services to provide analytics and authentication features. This section describes how we handle data from Google APIs.
Google Sign-In
We use Google Sign-In for authentication. We receive your name, email address, and profile picture from Google. This data is used solely to identify you within Kirro.
Google Analytics (GA4) data
If you choose to connect your Google Analytics account, we request read-only access to your GA4 data using the analytics.readonly scope. Specifically, we access: GA4 property names and IDs (so you can select which property to connect), top pages by sessions (to help you choose which pages to run A/B tests on), event names and counts (to help you select conversion goals for your tests), and aggregate metrics such as sessions, bounce rate, and conversions (to inform your testing decisions). We do not access personally identifiable visitor data, demographics, or any data beyond what is listed above. All access is read-only. We never modify your Google Analytics configuration or data.
Google Tag Manager data
If you choose to connect your Google Tag Manager account, we request access to read your container configurations and publish changes using the tagmanager.readonly, tagmanager.edit.containers, and tagmanager.publish scopes. This allows Kirro to install the A/B testing code on your website through Tag Manager and publish it so it goes live immediately. We do not access or modify tags, triggers, or variables unrelated to Kirro.
How Google data is stored
OAuth access tokens and refresh tokens are encrypted using AES-GCM encryption before being stored in our database. Aggregate analytics data (page paths, session counts, event names) is cached temporarily to display in your dashboard. We do not store raw Google Analytics reports or personal visitor data.
How to revoke access
You can disconnect your Google Analytics or Google Tag Manager account at any time from your Kirro dashboard settings. This immediately deletes your stored tokens and cached data. You can also revoke access from your Google Account permissions page at myaccount.google.com/permissions.
Limited use disclosure
Kirro's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy (developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements. We only use Google data to provide and improve the features described above. We do not sell, share, or use Google data for advertising, and we do not allow humans to read your Google data unless you give explicit permission, it is necessary for security purposes, or it is required by law.

3. Chrome Extension

The Kirro Chrome Extension has its own privacy policy covering its specific data practices. You can read it at kirro.io/extension/privacy.

4. SDK (website snippet)

When you install the Kirro SDK on your website, it runs in your visitors' browsers to display the correct A/B test version. The SDK:
- Assigns visitors a random test group (stored in a first-party cookie on your domain)
- Sends anonymous conversion events when a visitor completes a goal you defined
- Does not collect personal data, IP addresses, or device fingerprints
- Does not use third-party cookies or tracking

5. Data sharing

We do not sell your data. We share data only with:
Supabase — database hosting and authentication (your account data and encrypted tokens).
Vercel — application hosting (server logs).
Google — authentication and analytics API access (as described above).
We may also share data if required by law or to protect our rights.

6. Data retention

We keep your account data for as long as your account is active. When you delete your account, we delete your data within 30 days. Encrypted tokens are deleted immediately when you disconnect an integration.

7. Security

We protect your data using HTTPS encryption in transit, AES-GCM encryption for stored tokens, row-level security in our database, and regular security reviews. No system is 100% secure, but we take reasonable measures to protect your information.

8. Your rights

You can access your account data from your dashboard, disconnect Google integrations at any time, delete your account and all associated data, and request a copy of your data by emailing us.

9. Cookies

Kirro uses essential cookies for authentication and session management. We do not use advertising or tracking cookies on the Kirro dashboard. The Kirro SDK uses a single first-party cookie on your customers' websites to maintain consistent A/B test assignments.

10. Children's privacy

Kirro is not directed at children under 13 and we do not knowingly collect information from children.

11. Changes to this policy

We may update this policy from time to time. Changes will be posted here with an updated date. For significant changes, we will notify you by email.

12. Contact

Questions about this policy? Reach out.