Privacy Policy
Last updated: 30 June 2026
This policy explains how datareport.ai (Florian Stangl, Austria) (“we”, “us”) handles personal data when you visit our website, join our waitlist, or use the product. We are committed to the EU General Data Protection Regulation (GDPR).
Our two roles
For data about visitors, waitlist subscribers, and account users, we are the data controller.
For the data you connect from your own tools (e.g. Google Analytics, Search Console, PostHog) to generate reports for your clients, we act as a data processor on your behalf — you remain the controller of that data. A Data Processing Agreement is available to customers.
What we collect and why
- Account data (name, email, organization) — to create and operate your account. Legal basis: performance of a contract.
- Waitlist email — if you sign up for the beta. Legal basis: your consent (double opt-in); you can unsubscribe at any time.
- Connected data sources (analytics, search, product metrics you authorize) — processed solely to generate your reports. We store normalized metric snapshots and generated reports; we do not store raw API responses.
- OAuth tokens & API keys — encrypted at rest (AES-256) to maintain your connections; deleted when you disconnect an integration.
- Usage analytics (pages viewed, clicks) via our self-hosted, first-party analytics. On our public website this runs cookieless (no cookies, IP truncated for EU/UK, no names/emails). Inside the signed-in app, where you are an authenticated customer, it uses a first-party cookie tied to your account so we can understand product usage and improve the service. Legal basis: legitimate interest. You can opt out at any time (the “Decline” option, or the footer link).
- In-app feedback (Userback) in the signed-in app, which may capture a screenshot and your account identity when you submit feedback — loaded only with consent.
- Security & audit logs (e.g. sign-in events, IP address) — to keep the service secure. Legal basis: legitimate interest.
Cookies & tracking
Essential cookies (sign-in/session, theme preference, your cookie choice) are always active — they are required for the site to function. Analytics on the public site is cookieless; inside the signed-in appa first-party analytics cookie is used (legitimate interest). You can opt out of analytics via “Decline” or the footer link. The in-app feedback widget (Userback) loads only after you accept, and only inside the app.
Sub-processors
We share data with the following processors, only as needed to run the service:
| Provider | Purpose | Location |
|---|---|---|
| Contabo (EU VPS) | Hosting: app, database, files, background jobs | EU (Germany) |
| Brevo | Transactional & waitlist email | EU |
| Analytics & Search Console data you connect | Customer-authorized API (Google infrastructure, under SCCs) | |
| PostHog | Product analytics you connect | EU Cloud (or your own region) |
| EUrouter | AI/LLM processing for report commentary | EU |
| Userback | In-app feedback widget (signed-in app) | Australia / US — under SCCs |
| Usermaven | Self-hosted analytics (web cookieless · in-app cookie) | EU |
Where a provider is outside the EU, transfers rely on Standard Contractual Clauses (SCCs) or an equivalent safeguard. We will notify customers of material changes to this list.
Google user data (Limited Use)
When you connect Google Analytics or Google Search Console, datareport.ai requests read-only access (analytics.readonly and webmasters.readonly) and uses it solely to read your metrics — Analytics sessions and traffic, and Search Console clicks, impressions, average position and top queries/pages — to display them in your dashboards and in the reports you generate for your clients. We never modify your Google data or settings.
datareport.ai’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not use Google user data for advertising; we do not sell it; we do not transfer it except as needed to provide or improve these user-facing features, to comply with applicable law, or in connection with a merger or acquisition; and we do not allow humans to read it except with your explicit consent, for security or to comply with law, or where the data has been aggregated and anonymized. Google user data is never used to train generalized AI/ML models.
You can revoke datareport.ai’s access at any time by disconnecting the integration in the app, or via your Google Account permissions.
How long we keep data
- Account & report data: for as long as your account is active.
- After account deletion: hard-deleted (cascade across integrations, reports, metrics, files, job schedules) within 30 days.
- OAuth tokens: deleted immediately when you disconnect an integration.
- Security/audit logs: up to 90 days.
- Encrypted backups: 30-day rolling, then auto-purged.
Your rights
Under the GDPR you have the right to:
- access the personal data we hold about you;
- rectify inaccurate data;
- erase your data (“right to be forgotten”);
- restrict or object to processing;
- data portability;
- withdraw consent at any time (e.g. decline analytics, unsubscribe from email);
- lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, dsb.gv.at) or your local supervisory authority.
To exercise any of these, email privacy@datareport.ai. We respond within the timeframes required by law.
Security
We host in the EU, encrypt credentials at rest, scope every query to your organization, request read-only connector permissions wherever possible, and follow a documented breach notification process (affected customers notified within 72 hours).
Contact
Questions or requests: privacy@datareport.ai. Operated by Florian Stangl, Austria.