Privacy Policy

Version 1.0 · Last updated [DATE]

This Privacy Policy explains how Open Report — operated by [COMPANY NAME], [LEGAL FORM], registered at [ADDRESS] ("we", "us") — collects, uses and protects personal data when you use the Open Report cloud service available at app.openreport.io ("Service"). It is written to comply with Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR") and the French Data Protection Act (loi Informatique et Libertés).

1. Data controller

The data controller for personal data processed in the context of the Service is [COMPANY NAME]. You can contact the data protection point of contact at [PRIVACY EMAIL].

2. What we collect and why

2.1 Account data

When you register an account we collect your email address, a display name, and a hashed password (we never store passwords in clear text). We also record the date of registration and which version of our regulatory clauses you accepted (Terms of Service, Privacy Policy, Legal Notice). This is necessary for the performance of the contract between you and us (GDPR Article 6.1.b).

2.2 Usage data

We collect technical information about how you use the Service: timestamps of logins, IP address used to access the Service, basic browser / device metadata, the identifiers of the dashboards and queries you create or run, and error traces. This data is used to operate, monitor and secure the Service and is based on our legitimate interest in running a stable platform (GDPR Article 6.1.f).

2.3 Billing data

For paid plans we collect billing identity (name, billing address, VAT number for businesses) and we process payments through a third-party payment service provider. We never store full card numbers on our servers; only a tokenised reference returned by the payment provider is kept so we can charge the renewal. Billing data is processed to fulfil the contract and to comply with our accounting and tax obligations (GDPR Article 6.1.b and 6.1.c).

2.4 Customer Content

The databases you connect, the rows the Service queries and the dashboards you build can contain personal data of your own customers or employees. With respect to that Customer Content we act as data processor on your behalf (GDPR Article 28). A Data Processing Agreement is part of the Terms of Service for paid plans; we can sign a stand-alone DPA on request.

3. How long we keep your data

Account data: for as long as your account is active, then deleted thirty (30) days after account closure.
Usage / logs: security event logs are kept twelve (12) months; technical telemetry is kept up to three (3) months.
Billing data: retained for ten (10) years to comply with French accounting law (Code de commerce Article L.123-22).
Customer Content: retained while the account is active; deleted thirty (30) days after account closure. Backups roll off our retention window within ninety (90) days of deletion.

4. Who we share data with

We share personal data only with the subprocessors necessary to operate the Service. As of the version date above, our subprocessors are:

OVH SAS (France) — infrastructure and hosting provider for production servers, backups and object storage. All Service data is hosted in the European Union.
Email sender: [EMAIL PROVIDER, e.g. Brevo / OVH Mail] — transactional emails (verification, password reset, scheduled report deliveries).
Payment processor: [PAYMENT PROVIDER, e.g. Mollie / Stripe] — payment collection and PCI-DSS compliance for paid plans.

We do not sell or rent your personal data to third parties. We do not transfer personal data outside the European Economic Area as part of operating the Service.

5. Cookies and similar technologies

The Service uses strictly-necessary cookies to keep you logged in and to remember your interface preferences (theme, panel widths). These cookies are essential to the operation of the Service and do not require consent. We do not deploy advertising or third-party tracking cookies on app.openreport.io. The marketing site (openreport.io) uses no analytics or advertising trackers.

6. Your rights under GDPR

You have the following rights regarding your personal data:

Access — obtain a copy of the personal data we hold about you.
Rectification — ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten") — ask us to delete your data subject to our legal obligations.
Restriction — ask us to pause the processing of your data while a dispute is resolved.
Portability — receive your data in a structured, commonly-used machine-readable format.
Objection — object to processing based on legitimate interests.
Withdraw consent — withdraw any consent you have given, without affecting the lawfulness of processing based on consent before its withdrawal.

Send any request to exercise these rights to [PRIVACY EMAIL]. We answer within one (1) month of receiving the request.

You also have the right to lodge a complaint with the French data protection authority, the Commission nationale de l'informatique et des libertés (CNIL), at 3 place de Fontenoy, TSA 80715, 75334 Paris Cedex 07.

7. Security

We protect personal data with appropriate technical and organisational measures: TLS encryption in transit, encrypted disks at rest, role-based access controls, principle of least privilege, security event logging, regular dependency updates and infrastructure hardening on top of OVH's certified data centres. Despite these measures, no service can guarantee absolute security; we will notify you and the CNIL within seventy-two (72) hours of becoming aware of a personal data breach likely to result in a risk to your rights and freedoms, as required by GDPR Article 33.

8. Changes to this Policy

We may update this Privacy Policy from time to time. When a material change occurs we will notify registered users by email at least thirty (30) days before it takes effect. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

9. Contact

Privacy questions can be sent to [PRIVACY EMAIL]. Postal mail can be sent to [COMPANY NAME], [ADDRESS].