When you sign up for an account at Report-URI you need to provide your email address and a password.
As part of the sign-up process, we use Google's reCAPTCHA service which is essential to prevent automated bot registrations. Google's use of the data processed by reCAPTCHA is described at https://policies.google.com/technologies/partner-sites.
The email address you provide is stored and is used as a unique identifier for you to login. It is also used to send you emails in relation to your use of the service, ask for your feedback, and inform you of changes and enhancements to our services.
The password you choose is salted, hashed and stored. This hash is used every time you login to authenticate that the person logging in and claiming to be you, really is you.
We also create a unique UserID (think GUID) for your account. This is used reference your account and for internal administration.
Data related to logging in is retained until your account is deleted.
By signing up for an account at Report-URI, you agree that we can use this information relating to you for these purposes. No other information is required for you to use the service.
When you enter your payment card information we require the following data.
This data is sent directly to Stripe Payments Europe from your browser. The Report-URI servers never see this data, instead Stripe send us a reference which we use when we want to alter your monthly payment.
This information, along with your payment history, is necessary for us to process payments in accordance with our terms of service. It is retained as long as you continue to use Report-URI.
In addition to Stripe Payments Europe acting as our payment processor, Stripe also uses the data provided for their own purposes which include the prevention and detection of fraud and their own regulatory obligations. You can find out more about how Stripe uses your data in their privacy policy at https://stripe.com/gb/privacy.
If you email us to ask about our services or require to be invoiced before paying, then we will process the data you provide to us in emails which may include your name, telephone number(s), job title, company and physical address. We use this information to communicate with you and to send invoices to you.
This information may be retained as long as you use our service and as required by law (e.g. accounting records).
As a cloud-based service, we rely on the use of third-party service providers.
| Name | Services Provided | Personal Data Processed |
|---|---|---|
| Cloudflare | Edge computing, CDN, WAF. | Email address. |
| Digital Ocean | Core application processing on Report-URI administered systems, hosted on Digital Ocean hypervisor plane. | Email address. |
| Microsoft Azure | Core application storage. Database services. | Email address. |
| Sendgrid | Core application. Emailed sending and receipt (SMTP servers). | Email address - automated emails sent by the system. |
| Sage | Accounting SaaS. | Invoicing and accounting information for Enterprise customers. May include contact information. |
| Stripe Payments Europe | Payment Services. | Payment card data. Payment card billing address. Billing history. |
Other than Stripe Payments Europe and Sage, all these third-parties operate outside the UK or EEA. For EU-based customers, we have executed agreements that incorporate the European Commission’s revised Standard Contractual Clauses (SCCs) with all third-parites to provide the necessary protection for personal data relating to you. For UK-based customers, the previous Commission SCCs approved by the ICO are still effective.
We have undertaken a Transfer Impact Assessment in respect of the transfer of personal data to the US and assessed that the risk of US authorities’ lawful access to this data is negligible. However, it is important to remember that the only personal data processed by all these third parties is your email address and the other data related to logging in.
As you'd expect from a company run by Scott, Michal and Troy, we're pretty serious about security. Although the systems we run process minimal personal data -- just your email address, password hash and a payment token -- our systems are designed, built, and operated securely.
We are certified against the UK's Cyber Essentials standard and our security is regularly tested by independent parties. You can read about our latest penetration test here.
When you access the Report-URI website, seven first party cookies (from us) and one third party cookie (from Stripe, our payment processor) are stored on your computer, all are essential for the safe and secure operation of the site. The Cookies used are:
| Party | Cookie | Purpose |
|---|---|---|
| 1st | __Host-report_uri_csrf | Set to prevent CSRF, expires at the end of the session. |
| 1st | __Host-report_uri_sess | Session cookie, expires at the end of the session. |
| 1st | __cf_bm | Cloudflare Bot Management - The __cf_bm cookie supports Cloudflare Bot Management by managing incoming traffic that matches criteria associated with bots. The cookie does not collect any personal data, and any information collected is subject to one-way encryption. This encrypted file contains Cloudflare's proprietary bot score and helps manage incoming traffic that matches specific criteria. This cookie is a session cookie that lasts for up to 30 minutes from the time you connect with our site. |
| 1st | __stripe_mid | Fraud prevention and detection, expires after 12 months. |
| 1st | __stripe_sid | Fraud prevention and detection, expires after 30 minutes. |
| 1st | __Secure-hideSeries-<report-type> | Where <report-type> is the type of report. Currently csp only, but the code is generic enough to support all report types. |
| 1st | sidebar_closed | Set when, yeah, you guessed it, the user closes the sidebar! |
| 3rd | m (m.stripe.com) | Fraud prevention and detection, expires after 24 months. |
You can see the data we process about you related to logging in, in your account.
If you have registered a payment card and want a copy of the data you provided, please email info@report-uri.com.
If you are an enterprise customer and require a copy of any personal data, please email info@report-uri.com.
If you believe any data we hold relating to you is incorrect, please email info@report-uri.com
The processing of your personal data is necessary for your use of the service. If you delete your account this will also delete all the data related to you. This is a one-way process; it is not reversible.
We provide this service and process the minimum amount of personal data that we can. If you have questions or complaints, please address them to info@report-uri.com.
If you are not happy with how we have dealt with your questions or complaints in relation to how we process personal data, you can contact the UK Information Commissioner. The best place to start is https://ico.org.uk/make-a-complaint/.
Although changes are likely to be minor, we may change our Privacy Policy from time to time, at our sole discretion. We'd encourage you to frequently check this page for any changes to this Privacy Policy.
The data that we receive from your customers' browsers and email gateways in telemetry and violation reports may constitute the personal data of your users or customers. Only you are able to make this determination and you should seek professional advice, we are not able to advise you.
There are two questions you need to consider:
Typically, there are five types of data that are received by Report-URI which, for you, may be the personal data of visitors to your website. These are:
From a security and privacy perspective we would discourage anyone from including Personal Data in a URI, Fragment or Query String.
If you determine that Report-URI processes the personal data of your customers, and that therefore in GDPR terms, you are the Controller for this data, and Report-URI will act as your Processor, you must agree to amending our Terms of Service by incorporating our Data Processing Agreement after you upgrade from a free account.
You should determine that the reporting and data management functionality provided by Report-URI allows you to fulfil your obligations as a Controller.
Further information about the privacy implications of telemetry and violation reporting is available in the following detailed technical standards and RFC documents.
| Standard | RFC Document |
|---|---|
| General W3C Reporting API | https://www.w3.org/TR/reporting/#privacy |
| Content Security Policy (CSP) | https://www.w3.org/TR/CSP3/#security-considerations |
| Network Error Logging (NEL) | https://www.w3.org/TR/network-error-logging/#privacy-considerations |
| Domain-based Message Authentication, Reporting, and Conformance (DMARC) | https://tools.ietf.org/html/rfc7489#section-9 |
| Transport Layer Security for Simple Mail Transport Protocol (SMTP over TLS) | https://tools.ietf.org/html/rfc8460#section-8 |
| Certificate Transparency (CT) | https://tools.ietf.org/html/rfc6962 |
The forensic reporting option in DMARC (ruf) will expose the private information contained in an email. Report-URI does not support this option.
We have detailed further observations about a Controller's use of Report-URI as a Processor which is available in this document Report-URI and Data Protection.
This Privacy Policy is also available as a PDF download.