This Agreement was last modified on March 25th, 2021.
1. The TL;DR version
- We use your email address as your username, and to send emails about your use of Report-URI and our services
- We use your payment card data to allow us to process your monthly subscription
- Report-URI runs on established cloud service providers including Stripe, Cloudflare, Microsoft Azure, and Digital Ocean, and some data is processed outside of the UK and EEA
- We're quite serious about security
- We only use essential cookies to provide our service (that's why there isn't a cookie pop-up)
- If you are a data Controller as defined by GDPR and you believe that the data received by Report-URI in your telemetry and violation reports will contain the personal data of your users or customers, you must let us know if you want to designate Report-URI as your data Processor
2. Data related to logging in
When you sign up for an account at Report-URI you need to provide your email address and a password.
As part of the sign-up process, we use Google's reCAPTCHA service which is essential to prevent automated bot registrations. Google's use of the data processed by reCAPTCHA is described at https://policies.google.com/technologies/partner-sites.
The email address you provide is stored and is used as a unique identifier for you to login. It is also used to send you emails in relation to your use of the service, ask for your feedback, and inform you of changes and enhancements to our services.
The password you choose is salted, hashed and stored. This hash is used every time you login to authenticate that the person logging in and claiming to be you, really is you.
We also create a unique UserID (think GUID) for your account. This is used reference your account and for internal administration.
Data related to logging in is retained until your account is deleted.
By signing up for an account at Report-URI, you agree that we can use this information relating to you for these purposes. No other information is required for you to use the service.
3. Data related to payments
When you enter your payment card information we require the following data.
- A company or person name that the payment card is registered to
- The country of residence
- The billing address, city, and postcode that the payment card is registered to
- An optional EU VAT ID
- The Primary Account Number (PAN), expiration date and verification code of the payment card
This data is sent directly to Stripe Payments Europe from your browser. The Report-URI servers never see this data, instead Stripe send us a reference which we use when we want to alter your monthly payment.
This information, along with your payment history, is necessary for us to process payments in accordance with our terms of service. It is retained as long as you continue to use Report-URI.
4. Data related to your engagement with us
If you email us to ask about our services or require to be invoiced before paying, then we will process the data you provide to us in emails which may include your name, telephone number(s), job title, company and physical address. We use this information to communicate with you and to send invoices to you.
This information may be retained as long as you use our service and as required by law (e.g. accounting records).
5. Third-party service providers
As a cloud-based service, we rely on the use of third-party service providers.
|Name||Services Provided||Personal Data Processed|
|Cloudflare||Edge computing, CDN, WAF.||Email address.|
|Digital Ocean||Core application processing on Report-URI administered systems, hosted on Digital Ocean hypervisor plane.||Email address.|
|Microsoft Azure||Core application storage. Database services.||Email address.|
|Sendgrid||Core application. Emailed sending and receipt (SMTP servers).||Email address - automated emails sent by the system.|
|Sage||Accounting SaaS.||Invoicing and accounting information for Enterprise customers. May include contact information.|
|Stripe Payments Europe||Payment Services.||Payment card data. Payment card billing address. Billing history.|
Other than Stripe Payments Europe and Sage, all these third-parties operate outside the UK or EEA. We have executed agreements that incorporate the European Commission's Standard Contractual Clauses (SCCs) with all providers to provide the necessary protection for personal data relating to you.
We're aware that the status of SCCs are under review following the Schrems II decision and will maintain awareness of this. However, it is important to remember that the only personal data processed by all these third parties is your email address and the other data related to logging in.
6. Security of data
As you'd expect from a company run by Scott, Michal and Troy, we're pretty serious about security. Although the systems we run process minimal personal data -- just your email address, password hash and a payment token -- our systems are designed, built, and operated securely.
When you access the Report-URI website, eight first party cookies (from us) and one third party cookie (from Stripe, our payment processor) are stored on your computer, all are essential for the safe and secure operation of the site. The Cookies used are:
|1st||__Host-report_uri_csrf||Set to prevent CSRF, expires at the end of the session.|
|1st||__Host-report_uri_sess||Session cookie, expires at the end of the session.|
|1st||__cf_bm||Cloudflare Bot Management - The __cf_bm cookie supports Cloudflare Bot Management by managing incoming traffic that matches criteria associated with bots. The cookie does not collect any personal data, and any information collected is subject to one-way encryption. This encrypted file contains Cloudflare's proprietary bot score and helps manage incoming traffic that matches specific criteria.
This cookie is a session cookie that lasts for up to 30 minutes from the time you connect with our site.
|1st||__cfduid||Cloudflare client identifier - The __cfduid cookie helps Cloudflare detect malicious visitors to the Report-URI website and minimizes blocking legitimate users. It may be to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It is necessary for supporting Cloudflare's security features.
The __cfduid cookie collects and anonymizes IP addresses using a one-way hash of certain values so they cannot be personally identified. The cookie is a session cookie that expires after 30 days.
The __cfduid cookie does not allow for cross-site tracking, or follow users from site to site by merging various __cfduid identifiers into a profile, or correspond to your Report-URI user ID.
|1st||__stripe_mid||Fraud prevention and detection, expires after 12 months.|
|1st||__stripe_sid||Fraud prevention and detection, expires after 30 minutes.|
|1st||__Secure-hideSeries-<report-type>||Where <report-type> is the type of report. Currently csp only, but the code is generic enough to support all report types.|
|1st||sidebar_closed||Set when, yeah, you guessed it, the user closes the sidebar!|
|3rd||m (m.stripe.com)||Fraud prevention and detection, expires after 24 months.|
8. Your rights
Getting a copy of your data
You can see the data we process about you related to logging in, in your account.
If you have registered a payment card and want a copy of the data you provided, please email email@example.com.
If you are an enterprise customer and require a copy of any personal data, please email firstname.lastname@example.org.
Correcting your data
If you believe any data we hold relating to you is incorrect, please email email@example.com
Deleting your data
The processing of your personal data is necessary for your use of the service. If you delete your account this will also delete all the data related to you. This is a one-way process; it is not reversible.
We provide this service and process the minimum amount of personal data that we can. If you have questions or complaints, please address them to firstname.lastname@example.org.
If you are not happy with how we have dealt with your questions or complaints in relation to how we process personal data, you can contact the UK Information Commissioner. The best place to start is https://ico.org.uk/make-a-complaint/.
11. Personal data received by Report-URI in telemetry and violation reports
The data that we receive from your customers' browsers and email gateways in telemetry and violation reports may constitute the personal data of your users or customers. Only you are able to make this determination and you should seek professional advice, we are not able to advise you.
There are two questions you need to consider:
- Does the UK or EU GDPR apply to you?
- Is the data received by Report-URI personal data that relates to identified or identifiable people who visit your website?
Typically, there are five types of data that are received by Report-URI which, for you, may be the personal data of visitors to your website. These are:
- IP address: although we receive this it is discarded and not stored.
- HTTP Referrer: The referring site may be received as part of a report and may contain the data relating to an identified or identifiable person. By default the HTTP Referrer is discarded and not stored, however a Report-URI user can change this setting and allow it to be stored.
- Document URI: The structure of your URI may relate to an identified or identifiable person, for example www.yoursite.com/profile/john/doe/12345/. URIs are received and stored.
- Query String: A query string may relate to an identified or identifiable person, for example www.yoursite.com/editprofile?userID=12345&name=JohnDoe. Query String is received in the telemetry or violation reports, and by default it is discarded and not stored. However a Report-URI user can change this default and allow Query String to be stored.
- URI Fragments: A URI Fragment may relate to an identified or identifiable person, for example www.customer.com/editprofile\#JohnDoe-12345. The default behaviour is that all fragments are discarded by Report-URI before the telemetry report is stored. However, this can be overridden by the Customer.
From a security and privacy perspective we would discourage anyone from including Personal Data in a URI, Fragment or Query String.
If you determine that Report-URI processes the personal data of your customers, and that therefore in GDPR terms, you are the Controller for this data, and Report-URI will act as your Processor, you must agree to amending our Terms of Service by incorporating our Data Processing Agreement after you upgrade from a free account.
You should determine that the reporting and data management functionality provided by Report-URI allows you to fulfil your obligations as a Controller.
Further information about the privacy implications of telemetry and violation reporting is available in the following detailed technical standards and RFC documents.
|General W3C Reporting API||https://www.w3.org/TR/reporting/#privacy|
|Content Security Policy (CSP)||https://www.w3.org/TR/CSP3/#security-considerations|
|Network Error Logging (NEL)||https://www.w3.org/TR/network-error-logging/#privacy-considerations|
|Domain-based Message Authentication, Reporting, and Conformance (DMARC)||https://tools.ietf.org/html/rfc7489#section-9|
|Transport Layer Security for Simple Mail Transport Protocol (SMTP over TLS)||https://tools.ietf.org/html/rfc8460#section-8|
|Certificate Transparency (CT)||https://tools.ietf.org/html/rfc6962|
The forensic reporting option in DMARC (ruf) will expose the private information contained in an email. Report-URI does not support this option.
We have detailed further observations about a Controller's use of Report-URI as a Processor which is available in this document Report-URI and Data Protection.