← Back to home

Privacy Policy

Last updated: April 1, 2026

This Privacy Policy explains how Keyvity e.U., operating as ReportLayer, collects, uses, stores, and shares information when you use our Service. We are committed to handling your data responsibly and in compliance with the EU General Data Protection Regulation (GDPR) and other applicable privacy laws.

If you have questions about this policy or how we handle your data, contact us at privacy@reportlayer.io.

1. Who Is Responsible for Your Data

The data controller for personal data processed through ReportLayer is:

Keyvity e.U.
Anton-Mahringer-Weg 35
Villach 9500, Austria
VAT: ATU79094445
privacy@reportlayer.io

As data controller, we determine the purposes and means of processing your personal data. Where we engage third-party services to process data on our behalf, they act as data processors under written agreements.

2. What Data We Collect

Account and registration data

When you create a ReportLayer account, we collect your email address, your agency name, and a hashed version of your password. We never store your password in plain text. If you accept a team invitation, we also collect the name or email of the person who invited you.

Billing data

Payments are processed by LemonSqueezy, which acts as merchant of record. We do not receive or store your full card number or CVV. We store a customer reference ID returned by LemonSqueezy so we can link your account to your subscription, and we retain records of subscription status and plan type.

Google integration data

When you connect a client's Google account via OAuth, we store OAuth access tokens and refresh tokens for each integration (Google Analytics 4, Google Search Console, Google Ads). These tokens are used solely to fetch reporting data on your behalf. We also store the aggregated metric snapshots that result from those API calls — things like session counts, click counts, impression data, and ad spend. We do not store raw personal data about your clients' website visitors.

Client records

You may enter information about your clients within ReportLayer, including their name, email address, and website URL. This information is provided by you and used to configure and deliver reports. You are responsible for having a lawful basis to share your clients' contact details with us.

Usage and technical data

We collect standard server logs when you use the Service, which may include your IP address, browser type, pages accessed, and timestamps. We use this data to operate and improve the Service and to diagnose errors. We do not use this data for advertising profiling.

Communications

If you contact us by email, we retain those communications to handle your request and to improve our support.

3. How We Use Your Data

Purpose Legal basis
Providing and operating the Service Performance of contract (Art. 6(1)(b) GDPR)
Processing payments and managing subscriptions Performance of contract (Art. 6(1)(b) GDPR)
Fetching Google Analytics, Search Console, and Ads data via OAuth Performance of contract (Art. 6(1)(b) GDPR)
Sending scheduled report emails to your clients Performance of contract (Art. 6(1)(b) GDPR)
Sending transactional emails (account, billing, invitations) Performance of contract (Art. 6(1)(b) GDPR)
Notifying you of changes to the Service or these policies Legitimate interest (Art. 6(1)(f) GDPR)
Diagnosing technical issues and improving the Service Legitimate interest (Art. 6(1)(f) GDPR)
Complying with legal obligations Legal obligation (Art. 6(1)(c) GDPR)

We do not sell your personal data. We do not use your data for targeted advertising.

4. Who We Share Data With

We share data with the following categories of third-party processors, each bound by appropriate data processing agreements:

Infrastructure and database

Our database and authentication layer run on Supabase, with data hosted on servers located in Germany (Frankfurt). Supabase processes data on our behalf under a data processing agreement.

Email delivery

Outbound emails — including scheduled client report emails and transactional account emails — are sent through Resend (Resend Inc., United States). Resend processes recipient email addresses and email content on our behalf under a data processing agreement. As a US-based processor, data transfers are governed by Standard Contractual Clauses adopted under GDPR Art. 46.

Billing

LemonSqueezy acts as merchant of record for all paid subscriptions. When you subscribe, you enter a direct payment relationship with LemonSqueezy. Their privacy policy governs how they handle your payment data. We receive only a customer reference ID and subscription status from them.

Google APIs

To retrieve your clients' analytics data, we make authenticated requests to Google's APIs using OAuth tokens you have authorized. Google processes these requests under their own terms and privacy policies. We access only the scopes you explicitly authorize.

Legal and compliance

We may disclose personal data if required to do so by law, court order, or governmental authority, or where necessary to protect the rights, property, or safety of Keyvity e.U., our users, or others.

We do not share your data with any other third parties for their own marketing or commercial purposes.

5. International Data Transfers

Our primary infrastructure is hosted in Germany and therefore within the European Economic Area (EEA). The following third-party processors operate outside the EEA and involve international data transfers:

  • Resend (United States) — email delivery. Transfer governed by Standard Contractual Clauses (GDPR Art. 46).
  • LemonSqueezy (United States) — payment processing. Transfer governed by Standard Contractual Clauses (GDPR Art. 46).
  • Google LLC (United States) — analytics (GA4) and API access. Google participates in the EU–U.S. Data Privacy Framework and Standard Contractual Clauses are in place.

In each case, we have entered into data processing agreements with these processors and rely on appropriate safeguards to ensure your data receives an equivalent level of protection to that required within the EEA.

6. How Long We Keep Your Data

We retain your personal data for as long as your account is active. If you cancel your subscription, your account reverts to the free plan and your data remains accessible. If you request deletion of your account, we will delete your personal data within 30 days, except where we are required to retain it longer for legal or accounting reasons (for example, billing records may be retained for up to 7 years as required under Austrian tax law).

Google OAuth tokens are deleted immediately when you disconnect an integration. Metric snapshot data associated with a client is deleted when that client is deleted from your account.

7. Cookies and Tracking

We use cookies and similar technologies in two categories:

Strictly necessary cookies

These cookies are required for the Service to function. They include a session cookie that keeps you logged in to your ReportLayer account. You cannot opt out of strictly necessary cookies without also losing access to the Service. No personally identifying information is stored in these cookies beyond what is required to maintain your session.

Analytics cookies (opt-in)

With your consent, we use Google Analytics 4 (GA4), operated by Google LLC, to understand how visitors use our website. GA4 collects anonymised data about pages visited, session duration, and general geographic region (country level). We have configured GA4 with the following privacy settings:

  • IP addresses are anonymised and never stored in full
  • Google Signals and advertising personalisation are disabled
  • No data is shared with Google for advertising purposes
  • Data is retained for 14 months in Google Analytics

Data collected by GA4 may be transferred to Google servers in the United States. Google LLC participates in the EU–U.S. Data Privacy Framework and has executed standard contractual clauses with Keyvity e.U. as required under GDPR Art. 46. We have a Data Processing Agreement in place with Google.

The legal basis for analytics processing is your consent (GDPR Art. 6(1)(a)). Analytics cookies are only placed after you click "Accept all" in the cookie banner. You may withdraw consent at any time by clicking "Reject non-essential" in the cookie banner (accessible from the bottom of any page on your first visit) or by clearing your browser's local storage for reportlayer.io.

8. Security

We take reasonable technical and organizational measures to protect your data against unauthorized access, loss, or disclosure. These include encrypted connections (TLS), hashed password storage, database-level row security policies, and access controls that restrict which parts of the system each component can reach. However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

If we become aware of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours and will inform affected users without undue delay where required by law.

9. Your Rights Under GDPR

If you are located in the EEA, you have the following rights regarding your personal data:

  • Access. You may request a copy of the personal data we hold about you.
  • Rectification. You may ask us to correct inaccurate or incomplete data.
  • Erasure. You may request that we delete your personal data, subject to legal retention requirements.
  • Restriction. You may ask us to restrict processing of your data in certain circumstances.
  • Portability. You may request your data in a structured, machine-readable format so you can transfer it to another service.
  • Objection. You may object to processing based on our legitimate interests. We will stop unless we have compelling grounds that override your interests.
  • Withdrawal of consent. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at privacy@reportlayer.io. We will respond within 30 days. We may ask you to verify your identity before fulfilling the request.

You also have the right to lodge a complaint with your national data protection authority. In Austria, the supervisory authority is the Datenschutzbehörde (DSB), reachable at www.dsb.gv.at.

10. Data Related to Your Clients

When you use ReportLayer to manage and report on your own clients, you upload or generate data about those clients (names, email addresses, website URLs, and performance metrics). In this context, you act as the data controller for your clients' personal data, and we act as your data processor.

You are responsible for ensuring that you have a lawful basis to process your clients' data and to share it with us for the purpose of generating reports. We process that data only in accordance with your instructions and these terms.

Client report pages are accessible via a unique private token link. No ReportLayer account is required for a client to view their report. You are responsible for distributing these links appropriately and for revoking access if needed by deleting the client from your account.

11. Children's Privacy

The Service is intended for use by businesses and professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe a minor has submitted data to us, please contact us at privacy@reportlayer.io and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the "last updated" date at the top of this page. We encourage you to review this policy periodically. Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

13. Mailing List and Email Marketing

What we collect

When you subscribe we collect your email address and the page you subscribed from. We do not collect your name or any other data.

Why we collect it

To deliver the free guide you requested and to send occasional product updates about ReportLayer. We never use your email for any other purpose.

Legal basis

We process your email address on the basis of your explicit consent, given when you submitted the subscription form. You may withdraw consent at any time by unsubscribing.

Data processors

Your email is processed by:

  • Resend (resend.com) — delivers transactional emails. SOC 2 Type II.
  • Listmonk — self-hosted on our server in Germany (EU).

Your data never leaves EU infrastructure for mailing list purposes.

Data location

All subscriber data is stored on our self-hosted Listmonk instance, running on a VPS in Germany (EU), backed by Supabase in Frankfurt, Germany (EU). No subscriber data is stored outside the EU.

Retention

We retain your email address until you unsubscribe or submit a deletion request. Unsubscribe at any time using the link in any email we send.

Your rights

Under GDPR you have the right to access, rectify, and erase your data. To request full deletion: email hello@reportlayer.io or visit: https://reportlayer.io/unsubscribe?email=your@email.com. We process all deletion requests within 30 days.

14. Contact

For any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

Keyvity e.U. — Privacy
Anton-Mahringer-Weg 35
Villach 9500, Austria
privacy@reportlayer.io