ReportCue

Privacy Policy

Last updated: 20 May 2026

ReportCue ("we", "our", "us") is a hosted SEO and reporting platform. This policy explains what data we collect, how we use it, and your rights over it.

1. What we collect

When you use ReportCue, we collect and store:

  • Account info from Google Sign-In: your name, email address, and profile picture (provided by Google when you sign in).
  • OAuth refresh tokens granting our system read-only access to your Google Search Console and Google Analytics 4 properties. These are encrypted at rest using AES-256-GCM.
  • Third-party API keys you provide (e.g. SEMrush, optional). These are encrypted at rest and only used to make authorised API calls on your behalf.
  • SEO metrics we sync from your connected services (search clicks, impressions, sessions, keyword rankings, backlinks, audit results). These are stored to render your dashboard and trend analyses.
  • Workspace configuration you set (logo, brand color, brand terms, tracked competitors, annual targets).

2. What we DO NOT collect

  • We do not store your Google password — Google handles authentication.
  • We do not collect personal data from your end-users or website visitors.
  • We do not use cookies for advertising. Only session cookies for keeping you signed in.

3. Google API services

ReportCue's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, we use the webmasters.readonly and analytics.readonly scopes to read your search and analytics data on your behalf. We do not use this data to train AI models, target advertising, or resell it to third parties.

4. How we use your data

  • Render your dashboards and generate insights.
  • Run scheduled syncs to keep your data fresh.
  • Send transactional emails (account, billing, sync errors). Never marketing.
  • Aggregated and anonymised product analytics (e.g. "70% of users connect SEMrush").

5. Storage and security

Data is hosted on AWS EC2 in the ap-southeast-1 (Singapore) region. Postgres is on the same private network as our application servers, never exposed to the public internet. We encrypt OAuth tokens and API keys at rest with AES-256-GCM. We use HTTPS for all client traffic with Let's Encrypt certificates.

6. Your rights

  • Access: view all data we hold about you via your workspace dashboard.
  • Export: CSV export of any metric via the dashboard.
  • Deletion: email support@reportcue.com and we'll delete your account and all associated workspace data within 30 days. We retain billing records as required by tax law.
  • Revoke Google access: at any time via Google Account → Third-party access. Our scheduled syncs will stop working immediately.

7. Sub-processors

  • Google — OAuth, GSC API, GA4 API, PageSpeed Insights API.
  • Amazon Web Services — hosting (EC2, Singapore).
  • SEMrush — analytics API (only if you provide your own key).
  • Anthropic — Claude API for optional AI executive summaries (if enabled).
  • Stripe — billing.

8. Contact

Questions or data requests: support@reportcue.com. We respond within 7 business days.