Data & Privacy
Privacy Policy
This page explains which personal data ReasyPort processes, the legal basis used for each processing activity, the providers involved, the retention logic applied, and the privacy choices available to you.
Effective date: 21 April 2026 · Cookie policy date: 21 April 2026 · Policy version: 2026-04-21
ReasyPort distinguishes between essential product records, internal product event logging, and optional third-party analytics. Analytics cookies remain optional; internal service records needed for requested features and security are described separately below.
Introduction
Scope and structure
This policy covers the ReasyPort website, account features, report delivery flows, support contact channels, and related service infrastructure that handles personal data for ReasyPort.
The processing register below is the primary operational summary for this deployment. It is intended to stay aligned with the code paths currently active in the product.
The Controller
Controller identity and contact details
Francesco Monterosso acts as the controller for the personal data described on this page.
ReasyPort has not appointed a Data Protection Officer, as its processing does not meet the criteria of Article 37 GDPR. For any data-protection question you may use the privacy contact above.
Processing Register
What data is processed and for which purpose
The following register summarises the main personal-data processing activities currently implemented in the product.
Account creation and account management
Create and maintain user accounts, store selected profile data, and return the correct account state across sessions.
Data categories
- Email address
- name
- username
- avatar choice
- account status
- language and notification preferences
Source
Provided directly by the user or created during sign-in.
Recipients / providers
- Francesco Monterosso
Retention
For the lifetime of the account and a limited post-closure support/compliance window.
Legal basis
Performance of a contract.
Required for the service or for internal operations
Google sign-in
Authenticate the user with Google and associate the external identity with a ReasyPort account.
Data categories
- Name
- email address
- profile image
- OAuth account identifiers
Source
Received from Google when the user chooses Google sign-in.
Recipients / providers
- Francesco Monterosso
Retention
Linked to the account while the Google authentication method remains connected.
Legal basis
Performance of a contract.
Required for the service or for internal operations
Transfer note: Google LLC is US-based; transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Magic-link sign-in emails
Send one-time sign-in links and associated transactional authentication messages.
Data categories
- Email address
- magic-link request metadata
- delivery status metadata
Source
Provided directly by the user when requesting email sign-in.
Recipients / providers
- Francesco Monterosso
- Resend
Retention
Up to 180 days.
Legal basis
Performance of a contract.
Required for the service or for internal operations
Transfer note: Resend is US-based (AWS); transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Weekly macro newsletter
Send the weekly macro newsletter to subscribers who opted in, including the double opt-in confirmation email and the one-click unsubscribe in every issue.
Data categories
- Email address
- subscription status
- consent timestamp
- language preference
- delivery metadata
Source
Provided directly by the user via the newsletter sign-up form.
Recipients / providers
- Francesco Monterosso
- Resend
Retention
Until the user unsubscribes or withdraws consent; the unsubscribe record is kept to honour the opt-out.
Legal basis
Consent (Art. 6(1)(a) GDPR); withdrawable at any time via the unsubscribe link in every email.
Consent required
Transfer note: Resend is US-based (AWS); transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Session and security logging
Protect accounts, detect abuse, preserve admin access integrity, and maintain session security.
Data categories
- Session tokens
- login timestamps
- security event metadata
- short-lived admin challenge/session cookies
Source
Generated automatically during sign-in, session usage, and admin access flows.
Recipients / providers
- Francesco Monterosso
Retention
Up to 180 days.
Legal basis
Legitimate interests in platform security and, where relevant, performance of a contract.
Required for the service or for internal operations
Protected report access and download records
Deliver requested report files, troubleshoot access, and investigate misuse of protected content.
Data categories
- User id if signed in
- report identifier
- ticker
- tier
- language
- download timestamp
- network identifier hashes
- short-lived raw IP and user-agent where necessary for abuse investigation
Source
Generated automatically when a report is opened or downloaded.
Recipients / providers
- Francesco Monterosso
- Supabase
Retention
Up to 90 days.
Legal basis
Performance of a contract and legitimate interests in service security.
Required for the service or for internal operations
Transfer note: Application data is hosted in Supabase's EU region (Stockholm, eu-north-1); it is not transferred outside the EEA for primary storage.
Internal product event logging
Measure feature usage inside the product without relying on optional analytics cookies, and improve navigation, discovery, and content coverage.
Data categories
- User id if signed in
- pseudonymous event metadata
- ticker or report context
- approximate country/region derived from request headers
Source
Generated automatically when the user interacts with product features.
Recipients / providers
- Francesco Monterosso
Retention
Up to 90 days.
Legal basis
Legitimate interests in product improvement and service planning.
Required for the service or for internal operations
Saved preferences and notification settings
Remember selected settings, saved content, watchlists, and requested notification preferences.
Data categories
- Language preference
- report language preference
- avatar selection
- saved companies
- watchlists
- notification toggles
Source
Provided directly by the user through account settings or requested product actions.
Recipients / providers
- Francesco Monterosso
Retention
While the account remains active or until the saved item or preference is removed.
Legal basis
Performance of a contract.
Required for the service or for internal operations
Optional analytics cookies and measurement
Measure traffic and broad product usage trends through Google Analytics 4 after the user opts in.
Data categories
- Usage events
- browser identifiers
- approximate geolocation
- cookie identifiers
Source
Collected only after the user actively accepts analytics.
Recipients / providers
- Francesco Monterosso
- Google Analytics 4
Retention
As configured by Google Analytics 4 and until the user withdraws analytics consent or clears the relevant cookies.
Legal basis
Consent.
Consent required
Transfer note: Google LLC is US-based; analytics data is processed outside the EEA under the EU–US Data Privacy Framework. IP addresses are anonymised and Google Signals/ad personalisation are disabled.
Support and direct contact requests
Handle support or privacy enquiries when the user contacts ReasyPort directly or opens a draft email via the website contact launcher.
Data categories
- Name
- email address
- subject line
- message content
Source
Provided directly by the user when emailing ReasyPort or launching a local mail draft from the contact page.
Recipients / providers
- Francesco Monterosso
Retention
For as long as the enquiry remains active and for a limited follow-up period afterwards.
Legal basis
Steps taken at the request of the user and legitimate interests in handling support communications.
Optional
Category summary
- Email address
- name
- username
- avatar choice
- account status
- language and notification preferences
- Name
- email address
- profile image
- OAuth account identifiers
- magic-link request metadata
- delivery status metadata
- subscription status
- consent timestamp
- language preference
- delivery metadata
- Session tokens
- login timestamps
- security event metadata
- short-lived admin challenge/session cookies
- User id if signed in
- report identifier
- ticker
- tier
- language
- download timestamp
- network identifier hashes
- short-lived raw IP and user-agent where necessary for abuse investigation
- pseudonymous event metadata
- ticker or report context
- approximate country/region derived from request headers
- Language preference
- report language preference
- avatar selection
- saved companies
- watchlists
- notification toggles
- Usage events
- browser identifiers
- approximate geolocation
- cookie identifiers
- subject line
- message content
Collection Sources
How the data reaches ReasyPort
- Provided directly by the user or created during sign-in.
- Received from Google when the user chooses Google sign-in.
- Provided directly by the user when requesting email sign-in.
- Provided directly by the user via the newsletter sign-up form.
- Generated automatically during sign-in, session usage, and admin access flows.
- Generated automatically when a report is opened or downloaded.
- Generated automatically when the user interacts with product features.
- Provided directly by the user through account settings or requested product actions.
- Collected only after the user actively accepts analytics.
- Provided directly by the user when emailing ReasyPort or launching a local mail draft from the contact page.
Legal Bases
How the legal bases map to the product
ReasyPort relies on four legal bases. Performance of a contract (Art. 6(1)(b) GDPR) for creating and operating your account, authentication, delivering requested reports, and saving your preferences. Consent (Art. 6(1)(a)) for optional analytics cookies and the weekly newsletter, which you may withdraw at any time. Legitimate interests (Art. 6(1)(f)) for platform and account security, abuse prevention, internal product-usage measurement, and handling support communications. Legal obligation (Art. 6(1)(c)) where disclosure or retention is required by law.
Performance of a contract.
- Account creation and account management
- Google sign-in
- Magic-link sign-in emails
- Saved preferences and notification settings
Consent (Art. 6(1)(a) GDPR); withdrawable at any time via the unsubscribe link in every email.
- Weekly macro newsletter
Legitimate interests in platform security and, where relevant, performance of a contract.
- Session and security logging
Performance of a contract and legitimate interests in service security.
- Protected report access and download records
Legitimate interests in product improvement and service planning.
- Internal product event logging
Consent.
- Optional analytics cookies and measurement
Steps taken at the request of the user and legitimate interests in handling support communications.
- Support and direct contact requests
Where ReasyPort relies on legitimate interests, it has assessed that those interests are not overridden by your rights and freedoms. You may object to legitimate-interest processing at any time on grounds relating to your particular situation, using the contacts at the end of this page.
ReasyPort uses essential storage for requested features, a first-party subject identifier plus consent record for privacy preference tracking, and optional analytics cookies only after the user actively accepts analytics.
Analytics consent can be granted, refused, or withdrawn with the same ease from the banner, from the footer preference entry, or from Profile > Privacy. The current preference is recorded server-side for audit purposes and also stored locally to drive the client-side experience.
Internal product event logging used to run requested features or improve the service without third-party analytics cookies is described separately in the processing register and does not rely on Google Analytics 4.
Providers
Third-party services actually used in the product
Authentication provider for Google sign-in
Data categories
- Name
- email address
- profile image
- OAuth account identifiers
Purpose
- Allow secure Google sign-in
- Link the social account to a ReasyPort account
Transfer note: Google LLC is US-based; transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Resend
Transactional and contact email delivery provider (magic-link sign-in, notification and contact-form emails)
Data categories
- Email address
- email subject and message body
- delivery metadata
Purpose
- Send one-time sign-in links and authentication emails
- deliver notification and contact-form messages
Transfer note: Resend is US-based (AWS); transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.
Supabase
Database and storage provider for application data and private report assets
Data categories
- Account and profile data
- saved companies and watchlists
- stored report access metadata
- service logs
Purpose
- Store application and user data
- store and serve private report assets
Transfer note: Application data is hosted in Supabase's EU region (Stockholm, eu-north-1); it is not transferred outside the EEA for primary storage.
Google Analytics 4
Optional analytics provider activated only after analytics consent
Data categories
- Usage events
- browser identifiers
- approximate geolocation
- cookie identifiers
Purpose
- Measure traffic and product usage trends
- support product improvement decisions
Transfer note: Google LLC is US-based; analytics data is processed outside the EEA under the EU–US Data Privacy Framework. IP addresses are anonymised and Google Signals/ad personalisation are disabled.
Data Sharing
How data is shared
ReasyPort does not sell personal data. Personal data is shared only to the extent needed to operate the product, deliver requested functionality, send authentication emails, or comply with applicable law.
- With processors and infrastructure providers that support authentication, email delivery, storage, and optional analytics.
- With competent authorities where disclosure is legally required.
- In connection with a corporate transaction, subject to appropriate continuity of protection.
Retention
Technical retention and purge logic
Retention is defined per dataset and is also implemented in maintenance tooling. The current operational policy for this deployment is summarised below.
Report download logs
Retention: up to 90 days.
Purge strategy: delete. Download records are retained for service operations, fraud monitoring, and support investigations. Only hashed network identifiers are stored.
Security and access events
Retention: up to 180 days.
Purge strategy: delete. Security-relevant events are retained to investigate abuse, account misuse, and admin access issues.
Operational product events
Retention: up to 120 days.
Purge strategy: delete. Operational product events support requested features, support handling, and service integrity.
Internal product intelligence events
Retention: up to 90 days.
Purge strategy: delete. Internal product analytics events are kept for a limited period to understand feature usage and improve the product.
Privacy and cookie consent records
Retention: up to 730 days.
Purge strategy: delete. Consent records are retained to document the user choice history for a limited audit period.
Company and report request records
Retention: up to 365 days.
Purge strategy: review. Request records remain available while the request is active and for a limited period afterwards for support follow-up.
Privacy and cookie consent records: kept for up to 24 months to document your consent history for audit purposes.
Your Rights
Your privacy rights
- Access to the personal data held about you.
- Rectification of inaccurate or incomplete data.
- Erasure where the data is no longer required or processing is otherwise no longer justified.
- Restriction of processing in the cases provided by applicable law.
- Objection to processing based on legitimate interests where applicable.
- Data portability where the right applies.
- Withdrawal of consent at any time for optional analytics without affecting prior processing.
- Lodging a complaint with a supervisory authority — in Italy this is the Garante per la protezione dei dati personali (www.garanteprivacy.it), or the data protection authority of your country of residence.
Requests can be sent through the contact details at the end of this page. ReasyPort may ask for reasonable identity verification before fulfilling a privacy request.
ReasyPort does not carry out automated decision-making that produces legal or similarly significant effects concerning you, nor profiling within the meaning of Article 22 GDPR.
Transfers
International transfers
Some providers used by ReasyPort process data outside the EEA. Where this occurs, ReasyPort ensures the transfer is covered by an appropriate safeguard under Chapter V GDPR — an adequacy decision, the EU–US Data Privacy Framework, or Standard Contractual Clauses, together with any supplementary measures required. Details for each provider are given in the processing register and provider section above.
Transfer notes for the currently configured providers are included in the processing register and provider section above.
Security
Security measures
The product uses HTTPS transport, account authentication controls, server-side session handling, short-lived admin challenge/session cookies, access gating for protected report files, and limited event logging for security and support purposes.
No online service can guarantee absolute security. If you believe your account or a privacy preference has been misused, contact ReasyPort using the addresses below.
Children
Children's privacy
ReasyPort is intended for adults and is not designed for children. If you believe a child has submitted personal data through the service, contact ReasyPort so that the matter can be reviewed and the data can be removed where appropriate.
Updates
Changes to this policy
This page may be updated when the product, providers, or privacy controls change. Material updates should be published here with an updated effective date and, where appropriate, surfaced in-product.
Get in Touch
Privacy and support contacts
ReasyPort aims to respond to privacy requests within the time required by applicable law. Some requests may require additional verification or follow-up.