Last updated: March 23, 2026
Privacy Policy
Official policy URL: https://reportlyra.com/privacy
This Privacy Policy explains how the company operating Reportlyra ("Reportlyra", "we", "us") processes personal data when you visit our marketing website, create or use a Reportlyra workspace account, connect advertising or analytics platforms, or interact with features we host (such as client approval links). We aim to comply with the EU General Data Protection Regulation ("GDPR"), the Norwegian Personal Data Act, the UK GDPR / Data Protection Act 2018 where applicable, and U.S. state consumer privacy laws where applicable. This document is informational and not legal advice; please consult qualified counsel for your own compliance obligations.
1. Who we are and how to contact us
Data controller for personal data processed in connection with providing and operating the Reportlyra service and this website is the legal entity operating Reportlyra, established in Norway. You may request our company registration details (e.g. organization number) by emailing privacy@reportlyra.com.
For all privacy-related requests (access, correction, deletion, objections, questions about this policy, or supervisory authority correspondence), contact: privacy@reportlyra.com. We will respond within the timeframes required by applicable law (typically within one month for GDPR requests, subject to extension where permitted).
How to request deletion of your data: Email privacy@reportlyra.com from an address associated with your account or describe how we can verify your identity. This includes data obtained when you log in with Meta or connect Meta to your workspace (for example Marketing API–related processing). We honor valid requests and Meta user data deletion requirements where applicable.
2. Scope: who this policy covers
This policy applies to: visitors to our public marketing site; individuals who register, log in, or are invited to a Reportlyra organization; and individuals who open client approval or similar tokenized links, leave feedback, or receive transactional emails (for example report delivery or invitations) sent through the product by our customers. It also covers personal data we receive from connected platforms (such as Meta or Google) when authorized by a customer workspace.
3. Customer organizations, end clients, and our role
Reportlyra is a B2B service. When an agency or company ("customer") uses Reportlyra, they may enter personal data about their own clients (for example contact names, emails, or brand-related information) and may send approval links to individuals who review ads without creating a full account. In those situations, the customer is typically the controller of that personal data, and Reportlyra processes it as a processor on the customer's instructions, as described in our terms and, where required, a data processing agreement. If you interact with Reportlyra only because a customer sent you a link or email, you should also read that customer's privacy notice and contact them for questions about why your data was shared with us.
For our own account records, billing (if applicable), service security, and this website, we act as controller as described in this policy.
4. Data we process and why
We process personal data only where we have a valid purpose and, where GDPR applies, an appropriate legal basis. The table below summarizes typical processing. Specific integrations depend on what each workspace enables.
| Category | Examples | Purposes | Legal basis (GDPR) |
|---|---|---|---|
| Account & access | Email, password or auth session, display name, org membership, roles, invites | Provide the service, authentication, onboarding, access control | Contract; legitimate interests (fraud, abuse) |
| Workspace & collaboration | Client/project records, contacts, ads, comments, approvals, calendar plans, uploads | Operate product features the customer chooses to use | Contract (with customer); processor role where applicable |
| Approval portal | Tokenized link access, feedback text, technical identifiers (e.g. IP, timestamps in logs) | Let end clients review and respond without a full account | Contract (customer); legitimate interests (security) |
| Platform integrations | OAuth tokens (encrypted at rest), ad account/Page/campaign/creative and performance data from Meta, Google (Ads, GA4), LinkedIn, X, as connected | Sync, publishing, previews, exports, reports | Contract; consent via platform authorization where required |
| AI & website analysis | URLs and content you submit, prompts, generated outputs (e.g. BrandScan, editor assist) | Provide AI-assisted features you trigger | Contract; legitimate interests (product functionality) |
| Reports & email | Report recipients, delivery status, content derived from GA4, PageSpeed/Lighthouse, SEO checks, ad metrics, screenshots where configured | Generate and deliver PDF reports and notifications | Contract; legitimate interests (service operation) |
| Technical & security | IP address, device/browser type, logs, rate-limit metadata, error diagnostics | Security, reliability, abuse prevention, legal compliance | Legitimate interests; legal obligation |
| Marketing site | Theme preference (e.g. local storage), standard server logs | Display site, basic analytics of delivery | Legitimate interests; consent if we add non-essential cookies |
Where we rely on legitimate interests, we balance our interests against your rights; you may object to certain processing as described below. We do not use personal data for automated decisions that produce legal or similarly significant effects solely by automated means without human involvement; AI outputs are assistive and customers remain responsible for review before publication.
5. Meta (Facebook) and other advertising platforms
Workspaces may connect Meta (Facebook) via OAuth and use the Marketing API for ad accounts, Pages, campaigns, sync, and (where enabled) publishing. Similar connections may exist for Google (Google Ads, GA4), LinkedIn, and X for previews, ZIP export guides, and publishing paths. We process such data only to provide features you enable; we do not sell platform data. Each provider's own terms and privacy policies govern data on their systems—for Meta, see Meta's Privacy Policy.
If you connected Meta through our app, Meta may also transmit user data deletion requests to us; we honor those in line with Meta's developer requirements.
6. Recipients and subprocessors
We use carefully selected service providers who process personal data on our instructions. Categories and examples aligned with current product capabilities include:
- Infrastructure & data store — e.g. Supabase (authentication, database, storage, row-level security; service role for secured jobs such as scheduled reports).
- Email — e.g. Resend for transactional messages (invites, report delivery, notifications).
- AI & scraping — e.g. Anthropic (Claude) for strategy/copy; xAI (Grok) for text/image assistance; Firecrawl (or similar) for website fetch in brand analysis.
- Rendering & automation — e.g. tooling used to generate report assets (such as page screenshots or PDF rendering) as configured in the product.
- Platform APIs — Meta, Google, LinkedIn, X, when you connect accounts.
We impose contractual data protection terms (including GDPR Article 28 where applicable). A current subprocessor list may be provided on request or published separately; we will give notice of material changes where our agreements require.
7. International transfers outside the EEA/UK
Some subprocessors are located in the United States or other countries without an EU adequacy decision. Where GDPR or UK GDPR applies, we implement appropriate safeguards such as the EU Commission Standard Contractual Clauses ("SCCs"), the UK International Data Transfer Agreement / Addendum, or other lawful mechanisms, together with technical and organizational measures. You may request more information about transfers by contacting privacy@reportlyra.com.
8. Retention
We retain personal data for as long as necessary to provide the service, comply with law, resolve disputes, and enforce agreements. After account closure or workspace deletion (as applicable), we delete or anonymize data within a reasonable period unless a longer period is required for legal claims, security logs, or backups (backups are overwritten on a rolling cycle). OAuth tokens are removed or invalidated when you disconnect an integration or close your account, subject to technical propagation delays.
9. Security
We implement measures appropriate to the risk, including access control, encryption of platform credentials at rest where supported by our architecture, database row-level security for multi-tenant isolation, rate limiting on sensitive endpoints, and restricted access for operational staff. No system is perfectly secure; we encourage strong passwords and prompt revocation of unused integrations.
10. Cookies, local storage, and PWA
This marketing site may store a theme preference in your browser (e.g. local storage) to remember light/dark mode. The main application may use session cookies or similar mechanisms necessary for login. Where the product is offered as a PWA, a service worker may cache assets for offline or install behavior in production; that processing supports functionality you choose to enable.
If we introduce non-essential cookies (such as advertising or analytics beyond what is strictly necessary), we will update this policy and, where required, obtain consent before use.
11. Your rights (EEA, UK, and Norway)
If GDPR / UK GDPR / the Norwegian Personal Data Act applies, you have the right to: access your personal data; rectify inaccurate data; erase data in certain cases; restrict processing; data portability for data you provided under contract or consent; object to processing based on legitimate interests (including profiling in some cases); and withdraw consent where processing is consent-based (without affecting prior lawful processing). You may also lodge a complaint with a supervisory authority. In Norway, the supervisory authority is Datatilsynet.
To exercise rights as an end user of a customer's approval link, we may need to verify your request and, in some cases, direct you to the customer who controls the underlying project data.
12. U.S. state privacy rights (including California)
Depending on your U.S. state of residence, you may have rights to know what personal information we collect, to delete certain information, to correct inaccuracies, to opt out of "sale" or "sharing" for cross-context behavioral advertising, and to appeal our decisions. We do not sell personal information for money and we do not share personal information for cross-context behavioral advertising as defined under the CCPA/CPRA in the ordinary operation of Reportlyra as described here. Submit requests via privacy@reportlyra.com; we will verify your identity as required by law. Authorized agents may submit requests where permitted.
13. Children
Reportlyra is a business tool and is not directed at children. We do not knowingly collect personal data from anyone under 16 (or the age required in your jurisdiction). If you believe we have collected such data, contact us and we will take appropriate steps to delete it.
14. Special categories of data
We do not ask you to upload special categories of personal data (such as health, religious beliefs, or biometric data for identification) into Reportlyra. Customers should not use the service to process such data unless they have a lawful basis and appropriate safeguards; we may delete or restrict content that violates our terms or applicable law.
15. Legal requests and enforcement
We may disclose personal data if required by law, court order, or governmental request, or to protect the rights, safety, and integrity of our users, the public, or Reportlyra. We will challenge disproportionate or unlawful requests where permitted.
16. Changes to this policy
We may update this Privacy Policy to reflect product, legal, or regulatory changes. We will change the "Last updated" date and, where the change is material, provide additional notice (for example by email to account holders or a notice in the product). Continued use after the effective date constitutes acceptance of the updated policy where permitted by law; if you do not agree, you should stop using the service and request account closure.