Privacy Policy | Reportly

At Reportly, we take the protection of your privacy and personal data very seriously. In this Privacy and Personal Data Protection Policy (the "Policy"), we describe how we process personal data as a data controller, particularly when you visit this website, participate in an event organised by Reportly, request a demonstration, subscribe to our newsletters, when we interact with you on social media, or when we carry out specific activities such as the development and improvement of our services.

This Policy describes the processing operations for which Reportly acts as data controller. Where Reportly processes data on behalf of its business customers — for example advertising performance data from Google Ads, your e-commerce customers' data, or HR and payroll data — it acts as a data processor within the meaning of Article 28 of the GDPR: these processing operations are described in section 3.1 and governed by the contractual terms agreed with each customer.

1. Who is Reportly?

When we refer to "Reportly" in this Policy, we mean Nuvem Studio, a société par actions simplifiée unipersonnelle (SASU) with share capital of €100, registered with the Paris Trade and Companies Register under number 988 881 900, whose registered office is located at 58 rue de Monceau, 75008 Paris, represented by Mr Olivier Saint-Marc, acting as President, and acting as controller of the personal data under our control.

2. What is "personal data"?

Within the meaning of the European Data Protection Regulation No 2016/679 (known as "GDPR") which came into force on 25 May 2018 and French Law No 78-17 of 6 January 1978 "Data Processing and Civil Liberties" in its amended version, "personal data" means any information relating to an identified or identifiable natural person, such as a name, email address, telephone number or IP address.

3. What personal data do we process about you and why?

At Reportly, we process the following personal data about you:

Your identification data and professional contact details, such as your name, image, email address, postal address, telephone number, particularly when you request information about Reportly's products and services, when you participate in our events, or when you subscribe to our marketing communications.
Information you provide to us: when you contact us, you may provide us with additional information that is useful to share depending on the reason for your contact. For example, when you book a demonstration, you may wish to share the specific points you would like to discuss during our meeting. Generally, this is combined with your identification data and professional contact details.
Your communications and any information you choose to share with us, such as newsletters, emails, telephone and call recordings (e.g. webinars), event recordings, forms and tickets created.
Data relating to your use of our website and solution, as well as associated Reportly services, such as statistics, feedback, satisfaction surveys, case studies and customer testimonials.
Information about you from third parties and information collected from open and public databases: we work with partners and suppliers to help us operate our services and improve our product. They may share information about you with us, such as your identification data, professional contact details and data relating to your use of our solution.
Information provided by our customers under specific agreed contractual terms, particularly when we process personal data to provide, develop and improve our Reportly services.

3.1 Data We Process From Your Connected Services

When you connect a third-party service to Reportly, we process, on your behalf and as a data processor within the meaning of Article 28 of the GDPR, the data made available by that service. Depending on the service connected, this data may include personal data relating to your own customers, suppliers or employees.

From payment processors:

Transactions and payment history
Invoices and billing information
Subscriptions and recurring payments
Product and price information

From e-commerce platforms:

Orders and transaction history
Products and inventory data
Payout information
Customer data (name, email address, phone number, postal address, purchase history)

From advertising platforms:

Campaign performance metrics
Ad spend and budget data
Audience and targeting statistics

Connections to advertising platforms, including Google Ads, are established on a read-only basis. Reportly does not write, modify or delete any data on these platforms. The performance data retrieved is used solely to generate your reports in Reportly and is never shared with third parties for advertising purposes, nor used for targeting or retargeting.

From accounting platforms:

Financial transactions and entries
Invoices and expense records
Bank account reconciliation data
Chart of accounts and categories, as well as the contact details of third parties appearing on accounting documents

From HR management and payroll tools:

Employee data strictly necessary for the requested indicators (headcount, remuneration, costs)

Purpose: this data is processed exclusively to generate the analyses and reports intended for your business. We do not use it for any other purpose, do not resell it, and do not exploit it for our own account.

Isolation and security: each customer's data is isolated by a tenant isolation mechanism (Row Level Security) and encrypted in transit and at rest.

Your responsibility: you act as data controller for this data and represent that you hold the necessary legal bases and authorisations to entrust it to us. Reportly acts solely on your documented instructions.

4. In practical terms, why do we collect your personal data and what else should you know?

Reportly takes privacy and the protection of your personal data seriously. We have placed at the heart of our commitments the respect and protection of the privacy and personal data of our customers and users, and consequently compliance with applicable laws and regulations, in particular the amended French Data Processing and Civil Liberties Act and the GDPR, but also to ensure better data protection with a view to improving our products and services.

To be clear, we process your personal data for the following purposes:

Marketing our SaaS solution and improving our services.
Contacting you to invite you to demonstrations, webinars, events and to keep you informed of our new features and any other commercial communications, and organising such events.
Managing your relationship with us.
Complying with our legal and regulatory obligations.

How does Reportly comply with the GDPR when processing your personal data?

Under Article 6 of the GDPR, data controllers such as Reportly may process personal data by relying on several legal bases. At Reportly, your personal data is processed on the basis of:

Performance of a contract with us or in order to take steps prior to entering into a contract with you.
The need to comply with a legal obligation.
Our legitimate interest.
Your consent.

How long does Reportly retain your personal data?

We will retain your personal data for 3 years after your last contact with us or, if there is a contract in place between us, after the end of our contractual relationship. Some data may be retained for longer periods where required by law, including billing data retained for 10 years in accordance with Article L.123-22 of the French Commercial Code.

Data from connected third-party services (section 3.1) is retained for the duration of your active subscription and deleted within 90 days of termination. You may request early deletion at support@reportly.fr.

5. Is the processing of your personal data secure?

Reportly has implemented a number of measures to protect your privacy and personal data and to meet GDPR requirements.

Concerning the security measures implemented to protect personal data against any risk of breach, unauthorised disclosure or damage to its integrity, Reportly has deployed all necessary resources with its teams and service providers to minimise the risk of security breaches, including:

SSL encryption of the website.
Your data is encrypted both in transit (TLS/SSL) and at rest (AES-256 encryption).
In particular, we endeavour to maintain 24/7 system monitoring to ensure the security of the personal data we process.
Our sites are regularly scanned for security flaws and vulnerabilities, and we take the necessary precautions to prevent the loss, misuse or alteration of personal data.

6. With whom do we share your personal data?

Your personal data may be shared with our service providers (notably our hosting and IT service providers listed in section 6.1). Outside of these providers and cases expressly provided for by law, your personal data is not shared with third parties.

When your personal data is shared outside of Reportly, we make every effort to select our service providers on the basis of very stringent criteria in terms of confidentiality, data protection and security. All transfers of personal data are contractually secured.

Your personal data may also be shared with service providers located outside the European Economic Area ("EEA"). In this case, we ensure that our service providers:

Are located in a country considered to offer an adequate level of protection by the European Union in terms of personal data, or
Are bound by contractual clauses guaranteeing an equivalent level of protection of your personal data (i.e. the standard contractual clauses established by the European Commission) or that the transfer is otherwise authorised under the GDPR.

6.1 Sub-processors

We use the following service providers to operate Reportly:

Supabase - Database hosting (European Union)
Render - Application hosting (United States; transfer governed by the European Commission's standard contractual clauses, Implementing Decision 2021/914/EU)
OpenRouter - Artificial intelligence processing for the DatAI assistant, on aggregated indicators only (United States; transfer governed by the European Commission's standard contractual clauses; no retention of request content; model training disabled)
Brevo - Sending our transactional and marketing emails (European Union)

6.2 Processing by artificial intelligence (DatAI)

Reportly offers an analytics assistant, "DatAI", which allows you to query your indicators in natural language. To generate a response, only your question and aggregated numerical indicators are transmitted to a language model provider. No data that could identify your end customers (name, email address, phone number, postal address) is transmitted: a server-side filtering mechanism technically prevents the transmission of any identifying data.

This processing is carried out by OpenRouter (a provider based in the United States), which routes the request to the configured language model. OpenRouter does not retain the content of requests, and the use of this data for model training is disabled.

6.3 Use of Google APIs and "Limited Use" Commitment

Reportly uses APIs provided by Google LLC, including the Google Ads API, to retrieve the performance data of your advertising campaigns solely for reporting and analytics purposes, on your behalf.

Limited Use. The use of information received via Google APIs is strictly limited to providing the reporting service you request. In particular, Reportly commits to:

using this data solely to generate your reports and dashboards in Reportly;
not selling, transferring or disclosing it to third parties for advertising or commercial purposes;
not using it to serve personalised advertising, retargeting or behavioural advertising;
not using it to train artificial intelligence or machine learning models;
accessing Google APIs on a read-only basis, strictly within the limits of the permissions (OAuth scopes) you grant.

Reportly's use and transfer of information received from Google APIs complies with the Google API Services User Data Policy, including its Limited Use requirements.

Data from Google APIs is hosted in our secure infrastructure (see section 5), subject to the same isolation and encryption guarantees as all of your Reportly workspace, and retained only for as long as necessary to make your reports available. It is deleted upon your request or upon termination of your access.

7. Your rights

Within the limits and conditions of applicable data protection laws, you may ask us to:

Access your personal data.
Rectify your personal data.
Erase your personal data.
Restrict the processing of your personal data.
Object to the processing of your personal data.
Transfer your personal data to another provider (right to data portability).
Withdraw your consent at any time where processing is based on consent, without such withdrawal affecting the lawfulness of processing carried out prior to the withdrawal (Article 7.3 of the GDPR).

You may also lodge a complaint with a competent supervisory authority — in France, the CNIL (3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07).

8. How to contact us?

If you wish to exercise your rights and for any questions concerning this document and, in general, concerning the collection and processing of your personal data by Reportly, please do not hesitate to contact us by email: support@reportly.fr or to send us a letter to: Nuvem Studio - Privacy contact, 58 rue de Monceau, 75008 Paris (France).

9. Amendments

This Privacy and Personal Data Protection Policy may be updated from time to time, particularly to take account of changes in our services, technologies or applicable regulations.

Any material change will be communicated to you by email, to the address associated with your account, at least 30 days before it takes effect. Where processing is based on your consent, we will invite you to renew it before the change takes effect. For changes relating to data received via Google APIs, we comply with the prior notification requirements of the Google API Services User Data Policy.

10. Cookies

To find out more about cookies, please consult our Cookie Policy.