Google Ads takes care to preserve the confidentiality and security of your data and aims to provide clear information about the limited ways this data is used. Your data is kept confidential and secure using the same industry-leading standards that Google uses to protect its own users’ data.
Google Ads store sales measurement allows you to measure how offline sales are influenced by ad campaigns Google has carried out on your behalf in a privacy-safe way. Google is committed to protecting the confidentiality and security of the data you share. This article explains how Google handles the offline sales data you upload, or that a third party uploads on your behalf, for use in store sales measurement.
On this page
How Google handles your data
The data files you upload will be used to match your customers to Google accounts and report the offline sales influenced by campaigns that Google has run on your behalf using its ads products. Your data is kept confidential and secure using the same industry-leading standards that Google uses to protect its own users’ data.
Here’s how the data you upload is handled:
- Limited data use: Google will only use your data files for store sales (uploads) to provide you services, including technical support, and to ensure compliance with our policies. For example, we'll match the transaction data that you upload with ad click and view data from ad campaigns that Google has run on your behalf, to report offline conversions or perform incrementality studies. To improve your store sales measurement, Google may also combine your uploaded transaction data with data from other Google measurement products you use, such as store visits. For some products, you may also instruct Google to generate Customer Match lists using the transaction data uploaded. Google uses privacy-safe conversion data for the overall benefit of advertisers for certain features like automated Smart Bidding to improve their overall quality and accuracy.
- Limited data access: Google uses employee access controls to protect your data files from unauthorized access.
- Limited data sharing: Google won’t share your data files with any third party, including other advertisers. Google may share this data to meet any applicable law, regulation, legal process or enforceable governmental request where required.
- Data security: Google is committed to ensuring that the systems we use to store your data files remain secure and reliable. Dedicated security engineering teams protect against external threats to Google’s systems and all your data files are stored in an encrypted format to protect against unauthorized access. Google only reports privacy-safe data.
Data security certifications
ISO 27001
The International Organization for Standardization (ISO) is an independent, non-governmental international organization with an international membership of 163 national standards bodies. The ISO/IEC 27000 family of standards helps organizations keep their information assets secure.
ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.
Google has earned ISO 27001 certification for the systems, applications, people, technology, processes and data centers serving a number of Google products, including store sales (uploads). Download the Google Ads/Analytics Scope Expansion Certificate — ISO27001 (PDF) or learn more about ISO 27001.
Data hashing
You're responsible for putting together your data files. Customer data needs to be hashed using the SHA256 algorithm, which is the industry standard for one-way hashing.
Only the personally identifiable customer data in your files, such as email, phone numbers, first name, and last name should be hashed. Don’t hash country, state, and zip code data.
- If you are performing a one-time upload of a .csv file through the Google Ads interface, you may choose to upload unhashed data since it will be automatically hashed in the browser upon submission.
- For all other file formats, such as XLS or Google Sheets, and for all other upload types, such as Scheduled Uploads or the Google Ads API, the customer data must be manually hashed using the SHA256 algorithm in the source file prior to submission.
- You must upload the data files using Google Ads or the Google Ads API. Google uses Transport Layer Security (TLS) for your upload, which is the industry standard for securely transferring files.
About the matching process
Google will use the matched transaction records to combine with ad click or view information from campaigns you've instructed Google to run, to produce reports demonstrating offline sales driven by Google advertising.
Here are more details about the matching process and how Google processes the files you upload or that a third party uploads on your behalf:
- Email matching: For matching based on your customers’ email addresses, after you've uploaded your data file with hashed email addresses, Google Ads will compare each hashed string in your file with the hashed string or email address of Google accounts. If there's a match, those transaction records will be marked as matched.
- Address matching: For matching based on your customers’ mailing addresses, Google joins hashed name and address information for Google accounts to construct a matching key. After you've uploaded your data file with hashed customer names and addresses (don’t hash zip code and country data), Google constructs a similar key based on your data and then compares each key in your file with the keys based on Google accounts. If there's a match, those transaction records will be marked as matched.
- Phone matching: Similar to email matching, after you've uploaded your data file with hashed phone numbers, Google Ads will compare each hashed string in your file with the hashed string or phone numbers of Google accounts. If there's a match, those transaction records will be marked as matched.
- Google will use the matched transaction records to combine with ad click or view information from campaigns you've instructed Google to run, to produce privacy-safe reports demonstrating offline sales driven by Google advertising.