Privacy Policy

This Agreement was last modified on March 25th, 2021.


1. The TL;DR version

2. Data related to logging in

When you sign up for an account at Report-URI you need to provide your email address and a password.

As part of the sign-up process, we use Google's reCAPTCHA service which is essential to prevent automated bot registrations. Google's use of the data processed by reCAPTCHA is described at https://policies.google.com/technologies/partner-sites.

The email address you provide is stored and is used as a unique identifier for you to login. It is also used to send you emails in relation to your use of the service, ask for your feedback, and inform you of changes and enhancements to our services.

The password you choose is salted, hashed and stored. This hash is used every time you login to authenticate that the person logging in and claiming to be you, really is you.

We also create a unique UserID (think GUID) for your account. This is used reference your account and for internal administration.

Data related to logging in is retained until your account is deleted.

By signing up for an account at Report-URI, you agree that we can use this information relating to you for these purposes. No other information is required for you to use the service.


3. Data related to payments

When you enter your payment card information we require the following data.

This data is sent directly to Stripe Payments Europe from your browser. The Report-URI servers never see this data, instead Stripe send us a reference which we use when we want to alter your monthly payment.

This information, along with your payment history, is necessary for us to process payments in accordance with our terms of service. It is retained as long as you continue to use Report-URI.

In addition to Stripe Payments Europe acting as our payment processor, Stripe also uses the data provided for their own purposes which include the prevention and detection of fraud and their own regulatory obligations. You can find out more about how Stripe uses your data in their privacy policy at https://stripe.com/gb/privacy.


4. Data related to your engagement with us

If you email us to ask about our services or require to be invoiced before paying, then we will process the data you provide to us in emails which may include your name, telephone number(s), job title, company and physical address. We use this information to communicate with you and to send invoices to you.

This information may be retained as long as you use our service and as required by law (e.g. accounting records).


5. Third-party service providers

As a cloud-based service, we rely on the use of third-party service providers.

Name Services Provided Personal Data Processed
Cloudflare Edge computing, CDN, WAF. Email address.
Digital Ocean Core application processing on Report-URI administered systems, hosted on Digital Ocean hypervisor plane. Email address.
Microsoft Azure Core application storage. Database services. Email address.
Sendgrid Core application. Emailed sending and receipt (SMTP servers). Email address - automated emails sent by the system.
Sage Accounting SaaS. Invoicing and accounting information for Enterprise customers. May include contact information.
Stripe Payments Europe Payment Services. Payment card data. Payment card billing address. Billing history.

Other than Stripe Payments Europe and Sage, all these third-parties operate outside the UK or EEA. We have executed agreements that incorporate the European Commission's Standard Contractual Clauses (SCCs) with all providers to provide the necessary protection for personal data relating to you.

We're aware that the status of SCCs are under review following the Schrems II decision and will maintain awareness of this. However, it is important to remember that the only personal data processed by all these third parties is your email address and the other data related to logging in.


6. Security of data

As you'd expect from a company run by Scott, Michal and Troy, we're pretty serious about security. Although the systems we run process minimal personal data -- just your email address, password hash and a payment token -- our systems are designed, built, and operated securely.

We are certified against the UK's Cyber Essentials standard and our security is regularly tested by independent parties. You can read about our latest penetration test here.


7. Cookies

When you access the Report-URI website, eight first party cookies (from us) and one third party cookie (from Stripe, our payment processor) are stored on your computer, all are essential for the safe and secure operation of the site. The Cookies used are:

Party Cookie Purpose
1st __Host-report_uri_csrf Set to prevent CSRF, expires at the end of the session.
1st __Host-report_uri_sess Session cookie, expires at the end of the session.
1st __cf_bm Cloudflare Bot Management - The __cf_bm cookie supports Cloudflare Bot Management by managing incoming traffic that matches criteria associated with bots. The cookie does not collect any personal data, and any information collected is subject to one-way encryption. This encrypted file contains Cloudflare's proprietary bot score and helps manage incoming traffic that matches specific criteria.
This cookie is a session cookie that lasts for up to 30 minutes from the time you connect with our site.
1st __cfduid Cloudflare client identifier - The __cfduid cookie helps Cloudflare detect malicious visitors to the Report-URI website and minimizes blocking legitimate users. It may be to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It is necessary for supporting Cloudflare's security features.
The __cfduid cookie collects and anonymizes IP addresses using a one-way hash of certain values so they cannot be personally identified. The cookie is a session cookie that expires after 30 days.
The __cfduid cookie does not allow for cross-site tracking, or follow users from site to site by merging various __cfduid identifiers into a profile, or correspond to your Report-URI user ID.
1st __stripe_mid Fraud prevention and detection, expires after 12 months.
1st __stripe_sid Fraud prevention and detection, expires after 30 minutes.
1st __Secure-hideSeries-<report-type> Where <report-type> is the type of report. Currently csp only, but the code is generic enough to support all report types.
1st sidebar_closed Set when, yeah, you guessed it, the user closes the sidebar!
3rd m (m.stripe.com) Fraud prevention and detection, expires after 24 months.

8. Your rights
Getting a copy of your data

You can see the data we process about you related to logging in, in your account.

If you have registered a payment card and want a copy of the data you provided, please email info@report-uri.com.

If you are an enterprise customer and require a copy of any personal data, please email info@report-uri.com.


Correcting your data

If you believe any data we hold relating to you is incorrect, please email info@report-uri.com


Deleting your data

The processing of your personal data is necessary for your use of the service. If you delete your account this will also delete all the data related to you. This is a one-way process; it is not reversible.


9. Complaints?

We provide this service and process the minimum amount of personal data that we can. If you have questions or complaints, please address them to info@report-uri.com.

If you are not happy with how we have dealt with your questions or complaints in relation to how we process personal data, you can contact the UK Information Commissioner. The best place to start is https://ico.org.uk/make-a-complaint/.


10. Changes to this Privacy Policy

Although changes are likely to be minor, we may change our Privacy Policy from time to time, at our sole discretion. We'd encourage you to frequently check this page for any changes to this Privacy Policy.


11. Personal data received by Report-URI in telemetry and violation reports

The data that we receive from your customers' browsers and email gateways in telemetry and violation reports may constitute the personal data of your users or customers. Only you are able to make this determination and you should seek professional advice, we are not able to advise you.

There are two questions you need to consider:

  1. Does the UK or EU GDPR apply to you?
  2. Is the data received by Report-URI personal data that relates to identified or identifiable people who visit your website?

Typically, there are five types of data that are received by Report-URI which, for you, may be the personal data of visitors to your website. These are:

From a security and privacy perspective we would discourage anyone from including Personal Data in a URI, Fragment or Query String.

If you determine that Report-URI processes the personal data of your customers, and that therefore in GDPR terms, you are the Controller for this data, and Report-URI will act as your Processor, you must agree to amending our Terms of Service by incorporating our Data Processing Agreement after you upgrade from a free account.

You should determine that the reporting and data management functionality provided by Report-URI allows you to fulfil your obligations as a Controller.

Further information about the privacy implications of telemetry and violation reporting is available in the following detailed technical standards and RFC documents.

Standard RFC Document
General W3C Reporting API https://www.w3.org/TR/reporting/#privacy
Content Security Policy (CSP) https://www.w3.org/TR/CSP3/#security-considerations
Network Error Logging (NEL) https://www.w3.org/TR/network-error-logging/#privacy-considerations
Domain-based Message Authentication, Reporting, and Conformance (DMARC) https://tools.ietf.org/html/rfc7489#section-9
Transport Layer Security for Simple Mail Transport Protocol (SMTP over TLS) https://tools.ietf.org/html/rfc8460#section-8
Certificate Transparency (CT) https://tools.ietf.org/html/rfc6962

The forensic reporting option in DMARC (ruf) will expose the private information contained in an email. Report-URI does not support this option.

We have detailed further observations about a Controller's use of Report-URI as a Processor which is available in this document Report-URI and Data Protection.

This Privacy Policy is also available as a PDF download.