Privacy Policy

Last updated: 9 June 2026

This page is also available at https://reportcue.com/privacy — please use that URL when referencing it in third-party developer consoles (e.g. Meta App Review, Google OAuth verification, TikTok Developer Portal, Google Ads API Center).

ReportCue ("we", "our", "us") — operating under the brand mark "Reporting Cue" — is a hosted SEO + paid-search + social reporting platform sold to marketing agencies and in-house performance teams. This policy explains what data we collect, how we use it, and your rights over it.

1. What we collect

When you use ReportCue, we collect and store:

  • Account info from sign-in: your name, email address, and profile picture (provided by Google when you sign in with Google; or your email and a magic-link verification when you sign in with email).
  • OAuth refresh tokens granting our system read-only access to your connected accounts. These are encrypted at rest using AES-256-GCM and never logged or exposed client-side.
  • OAuth tokens from Meta (Facebook + Instagram): when you connect a Facebook Page or Instagram Business account, we receive a long-lived access token from Meta. This grants read-only access to the Page Insights API and Instagram Graph API for the specific accounts you authorise.
  • OAuth tokens from TikTok: when you connect a TikTok for Business account, we receive an access token + refresh token via TikTok's OAuth flow. This grants read-only access to your account-level statistics and per-video performance.
  • OAuth tokens from Google Ads: when you connect a Google Ads account, we receive a refresh token scoped to the adwords permission. We use this to read campaign performance metrics only. We do not place, modify, pause, or delete ads.
  • OAuth tokens from Zoho CRM (when connected): scoped to reading aggregate Leads + Deals counts. We do not pull contact PII — see Section 4 below.
  • Third-party API keys you provide (e.g. SEMrush, optional). Encrypted at rest and only used to make authorised API calls on your behalf.
  • SEO metrics we sync from your connected services (search clicks, impressions, sessions, keyword rankings, backlinks, audit results). Stored to render your dashboard and trend analyses.
  • Social media metrics we sync from connected platforms (Facebook Pages, Instagram Business accounts, TikTok accounts): reach, impressions, engagement, follower counts, and the captions / thumbnails / public metrics of posts published from your accounts. We never read private direct messages or content not published by your own accounts.
  • Paid-media metrics we sync from connected ad accounts (Meta Ads, Google Ads): spend, impressions, clicks, conversions, CPM, CPC, CTR, ROAS, campaign + ad-group metadata. We do not access customer-match audiences, conversion uploads, or any other identity-based data.
  • Workspace configuration you set (logo, brand colour, brand terms, tracked competitors, annual targets, member roles).

2. What we DO NOT collect

  • We do not store your Google, Meta, TikTok, or Zoho password — those providers handle authentication.
  • We do not collect personal data from your end-users or website visitors.
  • We do not use cookies for advertising. Only session cookies for keeping you signed in.
  • We do not export or sell your data to data brokers.

3. Google API services

ReportCue's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we use the following Google scopes:

  • webmasters.readonly — read your Search Console clicks, impressions, queries, and page-level performance.
  • analytics.readonly — read your GA4 sessions, conversions, and page performance.
  • analytics.edit — list your accessible GA4 properties so you can pick which one to attach to a workspace. Read-only on metric data; no settings are modified.
  • adwords — read Google Ads campaign performance via GAQL (Google Ads Query Language). No mutate operations are performed.
  • business.manage — read Google Business Profile insights (only if you connect a GMB account).

We do not use Google API data to train AI models, target advertising, or resell it to third parties.

4. Meta Platform data (Facebook + Instagram)

ReportCue uses the Meta Graph API to read analytics for Facebook Pages and Instagram Business / Creator accounts you explicitly authorise. We adhere to Meta's Platform Terms and Developer Policies.

Specifically, with the permissions you grant we may read:

  • Pages: page name, profile picture, follower count, post-level and page-level insights (impressions, reach, engagement), and metadata of posts published by the page.
  • Instagram Business / Creator: account username, profile picture, follower count, daily insights (reach, profile views, website clicks, accounts engaged), and metadata of media you have published.
  • Inbox messaging counts (optional, only with permission): aggregate inbound + outbound message counts, response rate, and average response time. When you grant pages_messaging + instagram_manage_messages, we may also send inbound message text to our LLM sub-processor for sentiment classification (positive / neutral / negative). The text is discarded immediately after classification; we persist only the aggregate sentiment counts per day.
  • Meta Ads (optional, only if you connect): ad-account spend, campaign + ad-set + ad-level performance metrics, audience insights at aggregate level. No PII from individual ad recipients.

We use this data only to render your analytics dashboard. We do not use Meta Platform data for advertising, AI model training, or resale. You can revoke our access at any time from Facebook → Settings → Business Integrations — our syncs will stop immediately and we'll delete cached metrics within 30 days.

5. TikTok Platform data

ReportCue uses the TikTok for Developers API to read public analytics for the TikTok accounts you authorise. We adhere to TikTok API Terms of Service. We request only the scopes required for read-only analytics (user.info.profile, user.info.stats). We do not post content to TikTok, do not interact with viewers, and do not access private direct messages.

6. Zoho CRM data (aggregate-only)

When you connect Zoho CRM, ReportCue persists only aggregate counts: leads-by-status, leads-by- source, deals-by-stage, conversion rate, and day-on-day totals. We deliberately do not pull or store contact PII (names, emails, phone numbers, deal names, owner names, deal amounts) from Zoho. The Zoho field selectors at fetch time exclude these fields entirely; the database schema has no columns to hold them.

7. How we use your data

  • Render your dashboards and generate insights.
  • Run scheduled syncs to keep your data fresh.
  • Generate optional AI executive summaries via Anthropic or OpenAI APIs (only if enabled).
  • Send transactional emails (account, billing, sync errors). Never marketing.
  • Aggregated and anonymised product analytics (e.g. "70% of users connect SEMrush").

8. Storage and security

Data is hosted on a dedicated Hostinger VPS in the Frankfurt (Germany) region within the EU. Postgres is on the same private network as our application servers, never exposed to the public internet. We encrypt OAuth tokens and API keys at rest with AES-256-GCM. All client traffic is over HTTPS with Let's Encrypt certificates. Server-side rendering keeps cached data inside the trusted boundary; no public CDN serves your dashboard data.

Automated nightly backups of Postgres are stored on the same VPS with a rolling 30-day retention. Backups are encrypted at rest.

9. Your rights

  • Access: view all data we hold about you via your workspace dashboard.
  • Export: CSV export of any metric via the dashboard.
  • Deletion: email support@reportcue.com and we'll delete your account and all associated workspace data within 30 days. We retain billing records as required by tax law.
  • Revoke Google access: at any time via Google Account → Third-party access. Our scheduled syncs will stop working immediately.
  • Revoke Meta access: Facebook → Business Integrations.
  • Revoke TikTok access: TikTok App → Settings → Privacy → Authorised apps.

10. Sub-processors

  • Google — OAuth, GSC API, GA4 API, Google Ads API, Google Business Profile API, PageSpeed Insights API.
  • Meta Platforms — Graph API for Facebook Pages, Instagram Business, and Meta Ads (only if you connect).
  • TikTok — TikTok for Developers API (only if you connect).
  • Zoho — Zoho CRM API (only if you connect; aggregate-only data).
  • Hostinger — hosting (Frankfurt, Germany).
  • SEMrush — analytics API (only if you provide your own key).
  • Anthropic — Claude API for optional AI executive summaries + inbox sentiment classification (if enabled).
  • OpenAI — GPT API for optional AI executive summaries (alternative to Anthropic).
  • Resend — transactional email (magic-link sign-in, sync notifications).
  • Stripe — billing (rolled out per workspace; if you are not on a paid plan via Stripe, this sub-processor does not receive your data).

11. Data deletion request

To request deletion of your ReportCue account or your connected Facebook Pages / Instagram Business accounts, submit our public form at reportcue.com/data-deletion. You'll receive a confirmation code by email immediately.

We confirm receipt within 7 business days and complete deletion within 30 days. You can check the status of any request at reportcue.com/data-deletion/status using your confirmation code. Meta-initiated deletions (when you remove ReportCue from your Facebook account directly) are processed automatically via our signed-request callback. This satisfies Meta's Platform Terms requirement for a Data Deletion URL.

12. Children

ReportCue is a B2B product not directed at children. We do not knowingly collect data from anyone under 16. If you believe we have, email support@reportcue.com and we'll delete it immediately.

13. Changes to this policy

If we make material changes (new sub-processors, new data categories collected, change of hosting region), we'll notify you by email at least 14 days before they take effect. Minor edits (typos, clarifications) are noted by the "Last updated" date at the top of this page.

14. Contact

Questions or data requests: support@reportcue.com. We respond within 7 business days.