1. Data We Collect
We collect the following categories of personal data:
- Account data (via Firebase Auth): email address, display name, authentication provider, unique identifier, login timestamps
- Payment data (via Stripe): tokenized payment method, transaction history, billing address. We never store raw card numbers.
- Usage data: pages viewed, reports accessed, search queries, download history
- Pipeline data: report topics requested (admin only)
2. Legal Basis for Processing
- Contract performance: account management, payment processing, report delivery
- Legal obligation: tax records, financial reporting (7-year retention)
- Legitimate interest: usage analytics for service improvement, fraud prevention
3. Third-Party Processors
We share personal data with the following third-party processors, each operating under their own data processing agreements:
- Google / Firebase: authentication services
- Stripe: payment processing (PCI DSS Level 1 compliant)
- Anthropic: AI report generation (API data not used for training under commercial terms)
4. Your Rights (GDPR)
If you are in the European Economic Area, you have the following rights:
- Access: request a copy of your personal data
- Rectification: correct inaccurate data
- Erasure: request deletion of your data
- Restriction: limit how we process your data
- Portability: receive your data in a machine-readable format
- Objection: object to processing based on legitimate interest
Submit a data request through your account settings. We will respond within 30 days.
5. Your Rights (CCPA/CPRA)
California residents have additional rights:
- Right to know what personal information is collected and how it is used
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt out of the sale or sharing of personal information
We do not sell personal information. We do not use personal information for automated decision-making that produces legal or similarly significant effects.
6. Data Retention
- Account data: duration of account + 30 days after deletion request
- Payment/transaction data: 7 years (legal obligation)
- Usage analytics: 24 months, then anonymized
- Server logs: 90 days
7. Cookies
We use essential cookies for authentication and session management. For details, see our Cookie Policy.
8. International Data Transfers
Your data may be transferred to and processed in the United States by our third-party processors (Firebase, Stripe, Anthropic). We rely on Standard Contractual Clauses (SCCs) and processor data processing agreements for EU-to-US transfers.
This document does not constitute legal advice.