Privacy Policy

1. Data controller and contact

The data controller for Reportlyra is the organization operating the Reportlyra product. For privacy requests, including access, correction, or deletion, contact us at privacy@reportlyra.com. We will respond in line with applicable law and our internal processes.

2. Meta (Facebook) and advertising-related data

Organizations using Reportlyra may connect a Meta (Facebook) account for their workspace. When you authorize that connection, we receive credentials (such as OAuth tokens) and access data through Meta's APIs, including the Marketing API, as permitted by your permissions and Meta's terms.

Depending on your setup and what you choose to use in the product, this may include identifiers and metadata associated with ad accounts, Pages, campaigns, ad sets, ads, creatives, and related performance or delivery information. We use this information only to provide Reportlyra features you request, such as:

• Listing and syncing ad accounts, campaigns, and related objects within your workspace;
• Supporting creation, editing, scheduling, and (where enabled) server-side publishing or export of advertising content toward Meta;
• Including advertising performance or related metrics in in-product views and generated reports (for example PDF reports for your clients), where you connect and configure those sources;
• Operating multi-tenant security and access control so only your organization's members see your Meta-linked data.

We do not sell Meta platform data. We process it as a service provider to your organization, subject to our agreements with you, Meta's Platform Terms and policies, and applicable law. Meta's own privacy and data practices also apply to data held on Meta's systems; see Meta's Privacy Policy for how Meta handles personal data on its services.

3. Other information we process

Beyond Meta, we process categories of data typical for a B2B SaaS product, including:

• Account and authentication — e.g. email, password or auth provider data, profile details, organization membership and roles (we use infrastructure such as Supabase for auth and database hosting);
• Workspace content — clients, projects, ads, comments, approvals, calendar plans, and files you upload, as you use the product;
• Other advertising and analytics platforms — if you connect them (for example Google for Google Ads or Google Analytics 4), we process tokens and data from those integrations similarly, for sync, reporting, and publishing features you enable;
• AI and enrichment — where you use features such as brand analysis from URLs or AI-assisted copy or images, we send relevant inputs to our AI and tooling providers (for example Anthropic, xAI, or website fetch services) to generate results for you;
• Technical and usage data — e.g. IP address, device/browser type, timestamps, and logs for security, debugging, and service reliability.

4. Purposes and legal bases

We process data to operate Reportlyra: provide features, authenticate users, enforce organization boundaries, troubleshoot, secure the service, comply with law, and communicate about the product (for example transactional email such as report delivery where you configure it). Where GDPR applies, we rely on appropriate bases such as contract, legitimate interests, and consent where required.

5. Service providers

We use vetted subprocessors for hosting, email, AI, and integrations. Examples aligned with current product capabilities include infrastructure and auth (e.g. Supabase), email delivery (e.g. Resend), AI providers (e.g. Anthropic, xAI), website fetching (e.g. Firecrawl), and platform APIs (Meta, Google, and others you connect). They process data only on our instructions and under contractual safeguards where applicable.

6. Retention and security

We retain data for as long as needed to provide the service, meet legal obligations, resolve disputes, and enforce agreements. Platform credentials (such as OAuth tokens for Meta or other networks) are stored with encryption at rest where our architecture supports it. No method of transmission or storage is completely secure; we work to apply reasonable technical and organizational measures.

7. International transfers

We and our service providers may process data in the European Economic Area, the United States, and other countries where we or they operate. Where required, we use appropriate transfer mechanisms (such as Standard Contractual Clauses) in addition to technical and organizational measures.

8. Your rights and data deletion

Depending on your location, you may have rights to access, rectify, delete, restrict, or object to certain processing, or to data portability. Organization administrators may also control membership and some workspace data. To exercise rights or request deletion of personal data we hold about you in connection with Reportlyra, contact privacy@reportlyra.com. If you connected Meta through our app, Meta may also send user data deletion requests related to our app; we handle those in line with Meta's developer requirements and will delete or anonymize associated data as required.

9. Changes

We may update this policy from time to time. We will adjust the "Last updated" date at the top and, where appropriate, provide additional notice. Continued use of the service after changes means you acknowledge the updated policy.