Skip to content

Legal

Privacy Policy

Last updated: 2026-05-04

This policy is a draft pending legal review and is provided for transparency only — it is not legally binding in its current form. Once our review is complete we will publish a final version and notify all installed agencies.

Information We Collect

ReportStack collects three categories of data: (1) account identifiers from your GoHighLevel agency (agency name, owner email, sub-account IDs), (2) KPI metrics that your sub-accounts already produce inside GHL (sales, leads, ad spend, ROAS, and related counts pulled via your authorized API tokens), and (3) usage telemetry required to operate the product (login timestamps, PDF render success/failure events, billing webhook deliveries).

We do not collect contact records, conversations, or media stored inside your GHL sub-accounts. Our scope is intentionally limited to aggregate metric counts.

How We Use It

Collected data is used solely to render the cross-sub-account rollup, generate white-label PDF reports, deliver scheduled reports to the recipient lists you configure, and operate billing. We do not sell, rent, or share your data with advertisers or data brokers, and we do not use it to train AI models.

Third Parties

ReportStack relies on the following processors to operate. Each is bound by their own privacy and security commitments; we link to those wherever practical so you can audit them independently.

Supabase

Purpose: Postgres database + object storage for branding logos and rendered PDFs.

Jurisdiction: United States [TODO: jurisdiction confirmation]

Postmark

Purpose: Transactional email delivery (report emails, account confirmations).

Jurisdiction: United States [TODO: jurisdiction confirmation]

GoHighLevel (GHL)

Purpose: OAuth identity, sub-account discovery, and per-location API tokens used to read your KPIs.

Jurisdiction: United States [TODO: jurisdiction confirmation]

Vercel

Purpose: Web application hosting (reportstack.app + app.reportstack.app) and edge analytics.

Jurisdiction: United States [TODO: jurisdiction confirmation]

Anthropic

Purpose: Generates AI client narratives that summarize KPI movement in plain English for each report.

Jurisdiction: United States [TODO: jurisdiction confirmation]

Data Retention

KPI snapshots and rendered PDFs are retained for the lifetime of your subscription so you can revisit historical reports. When you cancel, all account data is scheduled for deletion after a 30-day grace period during which you can reactivate. Anonymized aggregate metrics may be retained beyond that window for capacity planning.

Your Rights

Depending on your jurisdiction, you may have rights to access, export, correct, or delete the data we hold about your agency. Self-serve export and deletion are a feature in development. In the meantime, contact us at the address listed below and we will action your request within 30 days.

Cookies

ReportStack uses a single first-party session cookie (rs_session) scoped to .reportstack.app to keep you logged in across the marketing and app subdomains. We do not use third-party advertising cookies. Vercel may set first-party analytics cookies on the marketing site to count page views.

Contact

Questions, concerns, or rights requests? Email [email protected]. We aim to respond within two business days.