Privacy Policy

1. Who we are

Reportly is a software-as-a-service product that helps agencies and freelancers generate AI-written marketing reports for their clients. The Service is operated by Kreative Casa Entertainment (the "Operator"), based in the United Arab Emirates. For privacy questions contact support@reportlyapp.me.

2. Data we collect

We collect the minimum we need to deliver the Service. Specifically:

• Account data — email address, name (optional), a password stored as a bcrypt hash (we never see the plaintext), and timestamps for signup / login / email verification.
• Workspace + client data — workspace name, brand color, optional logo URL, the names and contact details of the clients you add, and any notes you attach to them.
• Integration tokens — OAuth access and refresh tokens for any connected Google Analytics 4, Google Search Console, or Meta Ads accounts. Tokens are encrypted at rest using AES-256 before being written to the database.
• Analytics data pulled on your behalf — when you generate a report, Reportly fetches metrics from your connected data sources (e.g. sessions, clicks, impressions, ad spend) for the date range you select and stores a snapshot alongside the report.
• Reports — the AI-generated narrative, key metrics, insights, and any PDFs exported from a report.
• Billing data — payment is processed by Gumroad. We receive confirmation of a successful subscription (Gumroad sale id, subscription id, amount, currency, status). We never receive or store your credit-card details.
• Operational data — IP address from request headers (used only to rate-limit abuse-prone endpoints), server logs, and error reports sent to Sentry. We do not use third-party tracking or advertising cookies.

3. How we use your data

• Provide the core Service — generate reports, deliver PDFs, send share links.
• Authenticate you (session cookies issued by NextAuth, strictly necessary).
• Enforce plan limits and prevent abuse via rate limiting.
• Send you transactional email about your account — email verification, password reset, trial reminders, payment notifications, report delivery.
• Diagnose and fix errors via Sentry.

We do notuse your data or your clients' data to train any machine-learning model. We do not sell or rent your data to anyone.

4. Third-party processors we share with

The following sub-processors receive limited data in order to provide specific functions:

• Anthropic, PBC(Claude API) — we send your client's metrics + period context so Claude can generate the report narrative. Anthropic states it does not use API-submitted data to train its models.
• Supabase Inc. — Postgres database and file storage (encrypted PDFs).
• Vercel Inc. — application hosting and web analytics (aggregated, cookie-less).
• Resend — transactional email delivery.
• Inngest Inc. — background-job orchestration (report generation, PDF rendering, trial-ending emails).
• Upstash Inc. — Redis storage for rate-limit counters and short-lived OAuth state tokens.
• Sentry (Functional Software, Inc.) — error tracking.
• Gumroad Inc. — payment processing and subscription management. Gumroad sends us sale and cancellation events via webhook; we do not see card details.
• Google LLC and Meta Platforms, Inc. — only when you explicitly connect an integration. We exchange an OAuth token and use it strictly to fetch data you authorized.

5. Where data is stored

Application data is stored in Supabase's AWS ap-northeast-1 (Tokyo) region. Some sub-processors (Anthropic, Vercel, Sentry) may process data in the United States or the European Union.

6. Retention

• Account, workspace, and client data are retained while your account is active.
• Generated reports and PDFs are retained until you delete them or your account is closed.
• OAuth tokens are retained while the connection is active and are revoked on disconnect or account closure.
• Billing records are retained for 7 years to satisfy accounting requirements.
• Rate-limit counters expire within 1 hour of the last request.

7. Your rights

You can at any time:

• Access or export your data — email us and we will send you a copy within 30 days.
• Correct inaccurate data — most fields are editable in Settings.
• Delete your account — email us and we will delete your account, workspace, clients, reports, and revoke all stored OAuth tokens within 30 days, subject to legal retention requirements for billing.
• Disconnect integrations — from the Integrations page, which immediately revokes our stored tokens.

If you are in the EEA or UK, you have additional rights under GDPR, including the right to object to processing and the right to lodge a complaint with a supervisory authority.

8. Security

• Passwords are hashed with bcrypt (cost factor 12).
• OAuth access and refresh tokens are encrypted at rest with AES-256.
• All traffic is served over TLS with HSTS preload.
• Content Security Policy, X-Frame-Options, and other HTTP security headers are enforced.
• Per-endpoint rate limiting is enforced to mitigate abuse.
• We run automated error monitoring and follow security advisories for our dependencies.

No system is perfectly secure. If you discover a vulnerability please email support@reportlyapp.me.

9. Children

Reportly is not directed to children under 16. If you believe a child has provided data to Reportly, contact us and we will delete it.

10. Changes to this policy

We may update this policy occasionally. When we do, we will change the "Last updated" date above and, for material changes, notify active users by email.

11. Contact

support@reportlyapp.me