Privacy Policy

1. Who we are

Reportly is a software-as-a-service product that helps agencies and freelancers generate AI-written marketing reports for their clients. The Service is operated by Kreative Casa Entertainment (the "Operator"), based in the United Arab Emirates. For privacy questions contact support@reportlyapps.com.

2. Data we collect

We collect the minimum we need to deliver the Service. Specifically:

• Account data — email address, name (optional), a password stored as a bcrypt hash (we never see the plaintext), and timestamps for signup / login / email verification.
• Workspace + client data — workspace name, brand color, optional logo URL, the names and contact details of the clients you add, and any notes you attach to them.
• Integration tokens — OAuth access and refresh tokens for any connected Google Analytics 4, Google Search Console, or Meta Ads accounts. Tokens are encrypted at rest using AES-256 before being written to the database.
• Analytics data pulled on your behalf — when you generate a report, Reportly fetches metrics from your connected data sources (e.g. sessions, clicks, impressions, ad spend) for the date range you select and stores a snapshot alongside the report.
• Reports — the AI-generated narrative, key metrics, insights, and any PDFs exported from a report.
• Billing data — payment is processed by Gumroad. We receive confirmation of a successful subscription (Gumroad sale id, subscription id, amount, currency, status). We never receive or store your credit-card details.
• Operational data — IP address from request headers (used only to rate-limit abuse-prone endpoints), server logs, and error reports sent to Sentry. We do not use third-party tracking or advertising cookies.

3. How we use your data

• Provide the core Service — generate reports, deliver PDFs, send share links.
• Authenticate you (session cookies issued by NextAuth, strictly necessary).
• Enforce plan limits and prevent abuse via rate limiting.
• Send you transactional email about your account — email verification, password reset, trial reminders, payment notifications, report delivery.
• Diagnose and fix errors via Sentry.

We do notuse your data or your clients' data to train any machine-learning model. We do not sell or rent your data to anyone.

4. Third-party processors we share with

The following sub-processors receive limited data in order to provide specific functions:

• Anthropic, PBC(Claude API) — we send your client's metrics + period context so Claude can generate the report narrative. Anthropic states it does not use API-submitted data to train its models.
• Supabase Inc. — Postgres database and file storage (encrypted PDFs).
• Vercel Inc. — application hosting and web analytics (aggregated, cookie-less).
• Resend — transactional email delivery.
• Inngest Inc. — background-job orchestration (report generation, PDF rendering, trial-ending emails).
• Upstash Inc. — Redis storage for rate-limit counters and short-lived OAuth state tokens.
• Sentry (Functional Software, Inc.) — error tracking.
• Gumroad Inc. — payment processing and subscription management. Gumroad sends us sale and cancellation events via webhook; we do not see card details.
• Google LLC and Meta Platforms, Inc. — only when you explicitly connect an integration. We exchange an OAuth token and use it strictly to fetch data you authorized.

5. Google API Services — Limited Use disclosure

When you connect a Google integration (Google Analytics 4, Google Search Console, or Google Ads), Reportly requests OAuth access to specific Google API scopes. The specific scopes we request and what each is used for are:

• Google Analytics 4 — scope .../auth/analytics.readonly. Used only to list the GA4 properties you own and pull the metrics for the date range you pick (sessions, users, pageviews, sources, events, conversions) so we can include them in the report you are generating. We do not modify any data in your Analytics account.
• Google Search Console — scope .../auth/webmasters.readonly. Used only to list the verified sites on your Google account and pull search-performance metrics (clicks, impressions, top queries, pages, countries, devices) for the date range you pick.
• Google Ads — scope .../auth/adwords. Used only to list the ad accounts accessible to your Google login and pull campaign performance metrics (spend, clicks, impressions, conversions) for the date range you pick.
• Basic profile — scopes openid, email, profilewhen you use “Sign in with Google”. Used only to identify your Reportly account.

Reportly's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

This means, specifically:

• We only use Google user data to provide and improve user-facing features of Reportly — namely, generating the marketing reports you ask us to generate.
• We do nottransfer Google user data to third parties except as needed to provide the Service (e.g. we send metric values, never OAuth tokens, to Anthropic's Claude API to compose the report narrative, and we store encrypted tokens in Supabase and transient rate-limit data in Upstash as listed in Section 4).
• We do not use Google user data for advertising, to build profiles, or to resell to data brokers.
• We do not allow humans to read your Google user data except: (a) with your explicit consent to resolve a specific support issue, (b) when required for security investigations or to comply with applicable law, or (c) when the data has been aggregated and is used for internal operations, in accordance with the Limited Use policy.
• We do not use your Google user data to train generalized machine-learning models.

You can revoke Reportly's access to your Google account at any time by visiting myaccount.google.com/permissions and removing Reportly, or by clicking Remove next to the integration on the Integrations page inside Reportly (which both revokes the token with Google and deletes the stored token from our database).

6. Where data is stored

Application data is stored in Supabase's AWS ap-northeast-1 (Tokyo) region. Some sub-processors (Anthropic, Vercel, Sentry) may process data in the United States or the European Union.

7. Retention

• Account, workspace, and client data are retained while your account is active.
• Generated reports and PDFs are retained until you delete them or your account is closed.
• OAuth tokens are retained while the connection is active and are revoked on disconnect or account closure.
• Billing records are retained for 7 years to satisfy accounting requirements.
• Rate-limit counters expire within 1 hour of the last request.

8. Your rights

You can at any time:

• Access or export your data — email us and we will send you a copy within 30 days.
• Correct inaccurate data — most fields are editable in Settings.
• Delete your account — email us and we will delete your account, workspace, clients, reports, and revoke all stored OAuth tokens within 30 days, subject to legal retention requirements for billing.
• Disconnect integrations — from the Integrations page, which immediately revokes our stored tokens.

If you are in the EEA or UK, you have additional rights under GDPR, including the right to object to processing and the right to lodge a complaint with a supervisory authority.

9. Security

• Passwords are hashed with bcrypt (cost factor 12).
• OAuth access and refresh tokens are encrypted at rest with AES-256.
• All traffic is served over TLS with HSTS preload.
• Content Security Policy, X-Frame-Options, and other HTTP security headers are enforced.
• Per-endpoint rate limiting is enforced to mitigate abuse.
• We run automated error monitoring and follow security advisories for our dependencies.

No system is perfectly secure. If you discover a vulnerability please email support@reportlyapps.com.

10. Children

Reportly is not directed to children under 16. If you believe a child has provided data to Reportly, contact us and we will delete it.

11. Changes to this policy

We may update this policy occasionally. When we do, we will change the "Last updated" date above and, for material changes, notify active users by email.

12. Contact

support@reportlyapps.com