Privacy Policy

This Agreement was last modified on October 30th, 2023.
1. The TL;DR version
2. Data related to logging in

When you sign up for an account at Report-URI you need to provide your email address and a password.

As part of the sign-up process, we use Google's reCAPTCHA service which is essential to prevent automated bot registrations. Google's use of the data processed by reCAPTCHA is described at

The email address you provide is stored and is used as a unique identifier for you to login. It is also used to send you emails in relation to your use of the service, ask for your feedback, and inform you of changes and enhancements to our services.

The password you choose is salted, hashed and stored. This hash is used every time you login to authenticate that the person logging in and claiming to be you, really is you.

We also create a unique UserID (think GUID) for your account. This is used reference your account and for internal administration.

Data related to logging in is retained until your account is deleted.

By signing up for an account at Report-URI, you agree that we can use this information relating to you for these purposes. No other information is required for you to use the service.

3. Data related to payments

When you enter your payment card information we require the following data.

To enter your payment card information your browser will be redirected to Stripe Payment Europe. Report-URI never sees this data, instead Stripe send us a reference.

This information, along with your payment history, is necessary for us to process payments in accordance with our terms of service. It is retained as long as you continue to use Report-URI.

In addition to Stripe Payments Europe acting as our payment processor, Stripe also uses the data provided for their own purposes which include the prevention and detection of fraud and their own regulatory obligations. You can find out more about how Stripe uses your data in their privacy policy at

4. Data related to your engagement with us

If you email us to ask about our services or require to be invoiced before paying, then we will process the data you provide to us in emails which may include your name, telephone number(s), job title, company and physical address. We use this information to communicate with you and to send invoices to you.

This information may be retained as long as you use our service and as required by law (e.g. accounting records).

If you sign up for a webinar, we'll use your email address to provide access to the webinar and to follow-up. You can unsubscribe from our emails at any time.

5. Third-party service providers

As a cloud-based service, we rely on the use of third-party service providers.

Name Services Provided Personal Data Processed
Cloudflare Edge computing, CDN, WAF. Email address.
Digital Ocean Core application processing on Report-URI administered systems, hosted on Digital Ocean hypervisor plane. Email address.
Microsoft Azure Core application storage. Database services. Email address.
Sendgrid Core application. Emailed sending and receipt (SMTP servers). Email address - automated emails sent by the system.
Sage Accounting SaaS. Invoicing and accounting information for Enterprise customers. May include contact information.
Stripe Payments Europe Payment Services. Payment card data. Payment card billing address. Billing history.

Other than Stripe Payments Europe and Sage, all these third-parties operate outside the UK or EEA. For EU-based customers, we have executed agreements that incorporate the European Commission’s revised Standard Contractual Clauses (SCCs) with all third-parties to provide the necessary protection for personal data relating to you. For UK-based customers, the previous Commission SCCs approved by the ICO are still effective.

We have undertaken a Transfer Impact Assessment in respect of the transfer of personal data to the US and assessed that the risk of US authorities’ lawful access to this data is negligible. However, it is important to remember that the only personal data processed by all these third parties is your email address and the other data related to logging in.

6. Security of data

As you'd expect from a company run by Scott, we're pretty serious about security. Although the systems we run process minimal personal data -- just your email address, password hash and a payment token -- our systems are designed, built, and operated securely.

Our security is regularly tested by independent parties and you can read about our latest penetration test here.

7. Cookies

When you access the Report-URI website, six first party cookies (from us) are stored on your computer, all are essential for the safe and secure operation of the site. The Cookies used are:

Party Cookie Purpose
1st _nss Set to prevent CSRF, expires at the end of the session.
1st __Host-report_uri_csrf Set to prevent CSRF, expires in two hours.
1st __Host-report_uri_sess Session cookie, expires in 24 hours.
1st __cf_bm Cloudflare Bot Management - The __cf_bm cookie supports Cloudflare Bot Management by managing incoming traffic that matches criteria associated with bots. The cookie does not collect any personal data, and any information collected is subject to one-way encryption. This encrypted file contains Cloudflare's proprietary bot score and helps manage incoming traffic that matches specific criteria. This cookie is a session cookie that lasts for up to 30 minutes from the time you connect with our site.
1st __Secure-hideSeries-<report-type> Where <report-type> is the type of report. Currently for csp only, but the code is generic enough to support all report types. Used to remember which data series the user has hidden from the graph. Expires after one year.
1st sidebar_closed Set when, you guessed it, the user closes the sidebar! Expires at the end of the session.
8. Your rights
Getting a copy of your data

You can see the data we process about you related to logging in, in your account.

If you have registered a payment card and want a copy of the data you provided, please email

If you are an enterprise customer and require a copy of any personal data, please email

Correcting your data

If you believe any data we hold relating to you is incorrect, please email

Deleting your data

The processing of your personal data is necessary for your use of the service. If you delete your account this will also delete all the data related to you. This is a one-way process; it is not reversible.

9. Complaints?

We provide this service and process the minimum amount of personal data that we can. If you have questions or complaints, please address them to

If you are not happy with how we have dealt with your questions or complaints in relation to how we process personal data, you can contact the UK Information Commissioner. The best place to start is

10. Changes to this Privacy Policy

Although changes are likely to be minor, we may change our Privacy Policy from time to time, at our sole discretion. We'd encourage you to frequently check this page for any changes to this Privacy Policy.

11. Personal data received by Report-URI in telemetry and violation reports

The data that we receive from your customers' browsers and email gateways in telemetry and violation reports may constitute the personal data of your users or customers. Only you are able to make this determination and you should seek professional advice, we are not able to advise you.

There are two questions you need to consider:

  1. Does the UK or EU GDPR apply to you?
  2. Is the data received by Report-URI personal data that relates to identified or identifiable people who visit your website?

Typically, there are five types of data that are received by Report-URI which, for you, may be the personal data of visitors to your website. These are:

From a security and privacy perspective we would discourage anyone from including Personal Data in a URI, Fragment or Query String.

If you determine that Report-URI processes the personal data of your customers, and that therefore in GDPR terms, you are the Controller for this data, and Report-URI will act as your Processor, you must agree to amending our Terms of Service by incorporating our Data Processing Agreement after you upgrade from a free account.

You should determine that the reporting and data management functionality provided by Report-URI allows you to fulfil your obligations as a Controller.

Further information about the privacy implications of telemetry and violation reporting is available in the following detailed technical standards and RFC documents.

Standard RFC Document
General W3C Reporting API
Content Security Policy (CSP)
Network Error Logging (NEL)
Domain-based Message Authentication, Reporting, and Conformance (DMARC)
Transport Layer Security for Simple Mail Transport Protocol (SMTP over TLS)
Certificate Transparency (CT)

The forensic reporting option in DMARC (ruf) will expose the private information contained in an email. Report-URI does not support this option.

We have detailed further observations about a Controller's use of Report-URI as a Processor which is available in this document Report-URI and Data Protection.

This Privacy Policy is also available as a PDF download.

This policy was last updated on 30 October 2023 (1v10):