Skip to content

Data & Privacy

Privacy Policy

This page explains which personal data ReasyPort processes, the legal basis used for each processing activity, the providers involved, the retention logic applied, and the privacy choices available to you.

Effective date: 21 April 2026 · Cookie policy date: 21 April 2026 · Policy version: 2026-04-21

Controller identityProcessing registerRetention controlsProvider transparency

ReasyPort distinguishes between essential product records, internal product event logging, and optional third-party analytics. Analytics cookies remain optional; internal service records needed for requested features and security are described separately below.

Introduction

Scope and structure

This policy covers the ReasyPort website, account features, report delivery flows, support contact channels, and related service infrastructure that handles personal data for ReasyPort.

The processing register below is the primary operational summary for this deployment. It is intended to stay aligned with the code paths currently active in the product.

The Controller

Controller identity and contact details

Francesco Monterosso acts as the controller for the personal data described on this page.

Controller nameFrancesco Monterosso
CountryItaly
Privacy contactprivacy@reasyport.com
Support contactsupport@reasyport.com
Legal contactlegal@reasyport.com

ReasyPort has not appointed a Data Protection Officer, as its processing does not meet the criteria of Article 37 GDPR. For any data-protection question you may use the privacy contact above.

Processing Register

What data is processed and for which purpose

The following register summarises the main personal-data processing activities currently implemented in the product.

Account creation and account management

Create and maintain user accounts, store selected profile data, and return the correct account state across sessions.

Data categories

  • Email address
  • name
  • username
  • avatar choice
  • account status
  • language and notification preferences

Source

Provided directly by the user or created during sign-in.

Recipients / providers

  • Francesco Monterosso

Retention

For the lifetime of the account and a limited post-closure support/compliance window.

Legal basis

Performance of a contract.

Required for the service or for internal operations

Google sign-in

Authenticate the user with Google and associate the external identity with a ReasyPort account.

Data categories

  • Name
  • email address
  • profile image
  • OAuth account identifiers

Source

Received from Google when the user chooses Google sign-in.

Recipients / providers

  • Francesco Monterosso
  • Google

Retention

Linked to the account while the Google authentication method remains connected.

Legal basis

Performance of a contract.

Required for the service or for internal operations

Transfer note: Google LLC is US-based; transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

Magic-link sign-in emails

Send one-time sign-in links and associated transactional authentication messages.

Data categories

  • Email address
  • magic-link request metadata
  • delivery status metadata

Source

Provided directly by the user when requesting email sign-in.

Recipients / providers

  • Francesco Monterosso
  • Resend

Retention

Up to 180 days.

Legal basis

Performance of a contract.

Required for the service or for internal operations

Transfer note: Resend is US-based (AWS); transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

Weekly macro newsletter

Send the weekly macro newsletter to subscribers who opted in, including the double opt-in confirmation email and the one-click unsubscribe in every issue.

Data categories

  • Email address
  • subscription status
  • consent timestamp
  • language preference
  • delivery metadata

Source

Provided directly by the user via the newsletter sign-up form.

Recipients / providers

  • Francesco Monterosso
  • Resend

Retention

Until the user unsubscribes or withdraws consent; the unsubscribe record is kept to honour the opt-out.

Legal basis

Consent (Art. 6(1)(a) GDPR); withdrawable at any time via the unsubscribe link in every email.

Consent required

Transfer note: Resend is US-based (AWS); transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

Session and security logging

Protect accounts, detect abuse, preserve admin access integrity, and maintain session security.

Data categories

  • Session tokens
  • login timestamps
  • security event metadata
  • short-lived admin challenge/session cookies

Source

Generated automatically during sign-in, session usage, and admin access flows.

Recipients / providers

  • Francesco Monterosso

Retention

Up to 180 days.

Legal basis

Legitimate interests in platform security and, where relevant, performance of a contract.

Required for the service or for internal operations

Protected report access and download records

Deliver requested report files, troubleshoot access, and investigate misuse of protected content.

Data categories

  • User id if signed in
  • report identifier
  • ticker
  • tier
  • language
  • download timestamp
  • network identifier hashes
  • short-lived raw IP and user-agent where necessary for abuse investigation

Source

Generated automatically when a report is opened or downloaded.

Recipients / providers

  • Francesco Monterosso
  • Supabase

Retention

Up to 90 days.

Legal basis

Performance of a contract and legitimate interests in service security.

Required for the service or for internal operations

Transfer note: Application data is hosted in Supabase's EU region (Stockholm, eu-north-1); it is not transferred outside the EEA for primary storage.

Internal product event logging

Measure feature usage inside the product without relying on optional analytics cookies, and improve navigation, discovery, and content coverage.

Data categories

  • User id if signed in
  • pseudonymous event metadata
  • ticker or report context
  • approximate country/region derived from request headers

Source

Generated automatically when the user interacts with product features.

Recipients / providers

  • Francesco Monterosso

Retention

Up to 90 days.

Legal basis

Legitimate interests in product improvement and service planning.

Required for the service or for internal operations

Saved preferences and notification settings

Remember selected settings, saved content, watchlists, and requested notification preferences.

Data categories

  • Language preference
  • report language preference
  • avatar selection
  • saved companies
  • watchlists
  • notification toggles

Source

Provided directly by the user through account settings or requested product actions.

Recipients / providers

  • Francesco Monterosso

Retention

While the account remains active or until the saved item or preference is removed.

Legal basis

Performance of a contract.

Required for the service or for internal operations

Optional analytics cookies and measurement

Measure traffic and broad product usage trends through Google Analytics 4 after the user opts in.

Data categories

  • Usage events
  • browser identifiers
  • approximate geolocation
  • cookie identifiers

Source

Collected only after the user actively accepts analytics.

Recipients / providers

  • Francesco Monterosso
  • Google Analytics 4

Retention

As configured by Google Analytics 4 and until the user withdraws analytics consent or clears the relevant cookies.

Legal basis

Consent.

Consent required

Transfer note: Google LLC is US-based; analytics data is processed outside the EEA under the EU–US Data Privacy Framework. IP addresses are anonymised and Google Signals/ad personalisation are disabled.

Support and direct contact requests

Handle support or privacy enquiries when the user contacts ReasyPort directly or opens a draft email via the website contact launcher.

Data categories

  • Name
  • email address
  • subject line
  • message content

Source

Provided directly by the user when emailing ReasyPort or launching a local mail draft from the contact page.

Recipients / providers

  • Francesco Monterosso

Retention

For as long as the enquiry remains active and for a limited follow-up period afterwards.

Legal basis

Steps taken at the request of the user and legitimate interests in handling support communications.

Optional

Category summary

  • Email address
  • name
  • username
  • avatar choice
  • account status
  • language and notification preferences
  • Name
  • email address
  • profile image
  • OAuth account identifiers
  • magic-link request metadata
  • delivery status metadata
  • subscription status
  • consent timestamp
  • language preference
  • delivery metadata
  • Session tokens
  • login timestamps
  • security event metadata
  • short-lived admin challenge/session cookies
  • User id if signed in
  • report identifier
  • ticker
  • tier
  • language
  • download timestamp
  • network identifier hashes
  • short-lived raw IP and user-agent where necessary for abuse investigation
  • pseudonymous event metadata
  • ticker or report context
  • approximate country/region derived from request headers
  • Language preference
  • report language preference
  • avatar selection
  • saved companies
  • watchlists
  • notification toggles
  • Usage events
  • browser identifiers
  • approximate geolocation
  • cookie identifiers
  • subject line
  • message content

Collection Sources

How the data reaches ReasyPort

  • Provided directly by the user or created during sign-in.
  • Received from Google when the user chooses Google sign-in.
  • Provided directly by the user when requesting email sign-in.
  • Provided directly by the user via the newsletter sign-up form.
  • Generated automatically during sign-in, session usage, and admin access flows.
  • Generated automatically when a report is opened or downloaded.
  • Generated automatically when the user interacts with product features.
  • Provided directly by the user through account settings or requested product actions.
  • Collected only after the user actively accepts analytics.
  • Provided directly by the user when emailing ReasyPort or launching a local mail draft from the contact page.

Legal Bases

How the legal bases map to the product

ReasyPort relies on four legal bases. Performance of a contract (Art. 6(1)(b) GDPR) for creating and operating your account, authentication, delivering requested reports, and saving your preferences. Consent (Art. 6(1)(a)) for optional analytics cookies and the weekly newsletter, which you may withdraw at any time. Legitimate interests (Art. 6(1)(f)) for platform and account security, abuse prevention, internal product-usage measurement, and handling support communications. Legal obligation (Art. 6(1)(c)) where disclosure or retention is required by law.

Performance of a contract.

  • Account creation and account management
  • Google sign-in
  • Magic-link sign-in emails
  • Saved preferences and notification settings

Consent (Art. 6(1)(a) GDPR); withdrawable at any time via the unsubscribe link in every email.

  • Weekly macro newsletter

Legitimate interests in platform security and, where relevant, performance of a contract.

  • Session and security logging

Performance of a contract and legitimate interests in service security.

  • Protected report access and download records

Legitimate interests in product improvement and service planning.

  • Internal product event logging

Consent.

  • Optional analytics cookies and measurement

Steps taken at the request of the user and legitimate interests in handling support communications.

  • Support and direct contact requests

Where ReasyPort relies on legitimate interests, it has assessed that those interests are not overridden by your rights and freedoms. You may object to legitimate-interest processing at any time on grounds relating to your particular situation, using the contacts at the end of this page.

Cookies

Cookies and similar technologies

ReasyPort uses essential storage for requested features, a first-party subject identifier plus consent record for privacy preference tracking, and optional analytics cookies only after the user actively accepts analytics.

Analytics consent can be granted, refused, or withdrawn with the same ease from the banner, from the footer preference entry, or from Profile > Privacy. The current preference is recorded server-side for audit purposes and also stored locally to drive the client-side experience.

Internal product event logging used to run requested features or improve the service without third-party analytics cookies is described separately in the processing register and does not rely on Google Analytics 4.

Providers

Third-party services actually used in the product

Google

Authentication provider for Google sign-in

Data categories

  • Name
  • email address
  • profile image
  • OAuth account identifiers

Purpose

  • Allow secure Google sign-in
  • Link the social account to a ReasyPort account

Transfer note: Google LLC is US-based; transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

Provider privacy notice

Resend

Transactional and contact email delivery provider (magic-link sign-in, notification and contact-form emails)

Data categories

  • Email address
  • email subject and message body
  • delivery metadata

Purpose

  • Send one-time sign-in links and authentication emails
  • deliver notification and contact-form messages

Transfer note: Resend is US-based (AWS); transfers outside the EEA rely on the EU–US Data Privacy Framework and/or Standard Contractual Clauses.

Provider privacy notice

Supabase

Database and storage provider for application data and private report assets

Data categories

  • Account and profile data
  • saved companies and watchlists
  • stored report access metadata
  • service logs

Purpose

  • Store application and user data
  • store and serve private report assets

Transfer note: Application data is hosted in Supabase's EU region (Stockholm, eu-north-1); it is not transferred outside the EEA for primary storage.

Provider privacy notice

Google Analytics 4

Optional analytics provider activated only after analytics consent

Data categories

  • Usage events
  • browser identifiers
  • approximate geolocation
  • cookie identifiers

Purpose

  • Measure traffic and product usage trends
  • support product improvement decisions

Transfer note: Google LLC is US-based; analytics data is processed outside the EEA under the EU–US Data Privacy Framework. IP addresses are anonymised and Google Signals/ad personalisation are disabled.

Provider privacy notice

Data Sharing

How data is shared

ReasyPort does not sell personal data. Personal data is shared only to the extent needed to operate the product, deliver requested functionality, send authentication emails, or comply with applicable law.

  • With processors and infrastructure providers that support authentication, email delivery, storage, and optional analytics.
  • With competent authorities where disclosure is legally required.
  • In connection with a corporate transaction, subject to appropriate continuity of protection.

Retention

Technical retention and purge logic

Retention is defined per dataset and is also implemented in maintenance tooling. The current operational policy for this deployment is summarised below.

Report download logs

Retention: up to 90 days.

Purge strategy: delete. Download records are retained for service operations, fraud monitoring, and support investigations. Only hashed network identifiers are stored.

Security and access events

Retention: up to 180 days.

Purge strategy: delete. Security-relevant events are retained to investigate abuse, account misuse, and admin access issues.

Operational product events

Retention: up to 120 days.

Purge strategy: delete. Operational product events support requested features, support handling, and service integrity.

Internal product intelligence events

Retention: up to 90 days.

Purge strategy: delete. Internal product analytics events are kept for a limited period to understand feature usage and improve the product.

Privacy and cookie consent records

Retention: up to 730 days.

Purge strategy: delete. Consent records are retained to document the user choice history for a limited audit period.

Company and report request records

Retention: up to 365 days.

Purge strategy: review. Request records remain available while the request is active and for a limited period afterwards for support follow-up.

Privacy and cookie consent records: kept for up to 24 months to document your consent history for audit purposes.

Your Rights

Your privacy rights

  • Access to the personal data held about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure where the data is no longer required or processing is otherwise no longer justified.
  • Restriction of processing in the cases provided by applicable law.
  • Objection to processing based on legitimate interests where applicable.
  • Data portability where the right applies.
  • Withdrawal of consent at any time for optional analytics without affecting prior processing.
  • Lodging a complaint with a supervisory authority — in Italy this is the Garante per la protezione dei dati personali (www.garanteprivacy.it), or the data protection authority of your country of residence.

Requests can be sent through the contact details at the end of this page. ReasyPort may ask for reasonable identity verification before fulfilling a privacy request.

ReasyPort does not carry out automated decision-making that produces legal or similarly significant effects concerning you, nor profiling within the meaning of Article 22 GDPR.

Transfers

International transfers

Some providers used by ReasyPort process data outside the EEA. Where this occurs, ReasyPort ensures the transfer is covered by an appropriate safeguard under Chapter V GDPR — an adequacy decision, the EU–US Data Privacy Framework, or Standard Contractual Clauses, together with any supplementary measures required. Details for each provider are given in the processing register and provider section above.

Transfer notes for the currently configured providers are included in the processing register and provider section above.

Security

Security measures

The product uses HTTPS transport, account authentication controls, server-side session handling, short-lived admin challenge/session cookies, access gating for protected report files, and limited event logging for security and support purposes.

No online service can guarantee absolute security. If you believe your account or a privacy preference has been misused, contact ReasyPort using the addresses below.

Children

Children's privacy

ReasyPort is intended for adults and is not designed for children. If you believe a child has submitted personal data through the service, contact ReasyPort so that the matter can be reviewed and the data can be removed where appropriate.

Updates

Changes to this policy

This page may be updated when the product, providers, or privacy controls change. Material updates should be published here with an updated effective date and, where appropriate, surfaced in-product.

Get in Touch

Privacy and support contacts

ReasyPort aims to respond to privacy requests within the time required by applicable law. Some requests may require additional verification or follow-up.