Privacy Policy

1. What We Collect

ReportMate collects the minimum data necessary to provide the service: your email address and name (via Google OAuth), and OAuth access tokens for the advertising and analytics platforms you connect (Google Analytics, Google Ads, Google Business Profile, Meta Ads, LinkedIn Ads, TikTok Ads, Instagram).

Access tokens are stored encrypted in our database using AES-256-GCM. We never store your advertising platform passwords. We do not collect or store personal data belonging to your clients' end users.

We also collect standard usage logs (IP addresses, browser type, pages visited) for security and rate limiting purposes. Subscription payments are processed by Paddle — we store only your Paddle customer ID and subscription status, not credit card numbers.

2. How We Use Your Data

We use your connected account tokens solely to fetch performance metrics on your behalf and display them in reports you generate. We do not sell your data, share it with third parties for advertising purposes, or use it to train AI models.

Report data (metrics, AI-generated summaries) is stored so you can view and share reports at a later time. You can delete any report or client at any time from your dashboard.

3. Google API Services

ReportMate's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We access Google account data solely to retrieve performance metrics requested by the authenticated user. We do not use this data to serve advertisements, share it with third parties for any other purpose, or retain it beyond what is needed to generate and display reports.

4. Third-Party Services

ReportMate integrates with the following third-party services:

• Supabase — database and authentication hosting
• Anthropic Claude — AI-generated report summaries (metrics data only, no PII)
• Paddle — payment processing and subscriptions
• Resend — transactional email delivery
• Vercel — application hosting
• Upstash — rate limiting (IP addresses only, not stored)

Each of these services operates under their own privacy policies. Data shared with them is limited to what is strictly necessary for their function.

5. Data Retention

Your account data is retained for as long as you maintain an active account. You may request deletion of your account and all associated data at any time by emailing us. Encrypted OAuth tokens for disconnected integrations are deleted immediately upon disconnection. Upon account deletion, all personal data is removed within 30 days.

6. Security

All OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM before being stored in the database. Data is transmitted over HTTPS at all times. We implement Row Level Security (RLS) ensuring users can only access their own data.

7. Your Rights

You have the right to access, correct, export, or delete your personal data at any time. You can revoke OAuth access for any connected integration from your dashboard settings. To exercise these rights or with any privacy questions, contact us at support@matehq.app.

8. Cookies

ReportMate uses only essential cookies required for authentication (session cookies via Supabase Auth). We do not use tracking cookies or third-party advertising cookies.