ReportHero LogoReportHero Docs

Privacy Policy

Effective Date: February 25, 2026

1. Introduction

This Privacy Policy explains how Iulian-Andrei Oana, operating as ReportHero ("ReportHero", "we", "us", or "our"), collects, uses, stores, and protects your information when you use the ReportHero application ("Service", "App"), available through the monday.com marketplace.

We are committed to protecting your privacy and handling your data transparently. By installing and using ReportHero, you acknowledge that you have read and understood this Privacy Policy.

If you have any questions or concerns, you can contact us at iulian@reporthero.app.

2. Data Controller

For the purposes of the General Data Protection Regulation (GDPR) and other applicable data protection laws, the data controller is:

Name: Iulian-Andrei Oana Email: iulian@reporthero.app Website: reporthero.app Location: Spain

3. Data We Collect

3.1 Data Accessed from monday.com

When you authorize ReportHero through the monday.com OAuth process, we access the following data from your monday.com account:

  • Board data: Board names, structures, columns, column types, and configurations
  • Item data: Items and sub-items, including column values, status, dates, and other field contents
  • User information: Names and email addresses of users within your monday.com account, used for reporting attribution and filtering
  • Workspace data: Workspace names and account-level metadata necessary for organizing reports
  • Activity data: Updates, status changes, and timestamps used for analytics features such as cycle time and time tracking reports

3.2 Account and Authentication Data

  • monday.com OAuth tokens: Used to authenticate and maintain your connection to the Service. We do not access or store your monday.com password.
  • Account identifiers: Your monday.com account ID, user ID, and associated email address

3.3 Usage Data

We may collect basic usage data to improve the Service, including:

  • Features accessed and frequency of use
  • Error logs and performance metrics
  • Browser type, device type, and general interaction patterns within the App

3.4 Data We Do Not Collect

  • We do not collect your monday.com password
  • We do not collect payment or billing information directly. All billing is handled through the monday.com marketplace
  • We do not access data from monday.com boards or workspaces that you have not authorized
  • We do not sell, rent, or trade your personal data to third parties

4. How We Use Your Data

We use the data we collect solely for the following purposes:

  • Providing the Service: Generating reports, dashboards, analytics, and exports based on your monday.com data
  • Data synchronization: Periodically syncing your monday.com data to enable historical tracking and trend analysis
  • Service improvement: Analyzing aggregated, anonymized usage patterns to improve features and performance
  • Account management: Authenticating your access and managing your subscription
  • Communication: Sending essential service notifications, account-related communications, product updates, and feedback requests (see Section 8)
  • Technical support: Diagnosing and resolving issues you report to us

We do not use your data for advertising, profiling, or any purpose unrelated to providing and improving the Service.

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we process your personal data based on the following legal grounds:

  • Performance of a contract: Processing necessary to provide the Service you have subscribed to (Article 6(1)(b) GDPR)
  • Legitimate interests: Processing necessary for our legitimate interests, such as improving the Service, ensuring security, and preventing fraud, where those interests are not overridden by your rights (Article 6(1)(f) GDPR)
  • Consent: Where you have given consent for specific processing activities, such as receiving non-essential communications (Article 6(1)(a) GDPR). You may withdraw consent at any time.
  • Legal obligation: Processing necessary to comply with legal requirements applicable to us (Article 6(1)(c) GDPR)

6. Data Storage and Security

6.1 Where We Store Your Data

Your monday.com account data (board data, item data, user information, and all synced content) is stored in a Supabase-managed PostgreSQL database located in the EU (Ireland, AWS eu-west-1 region).

Our web application is hosted on Vercel, a US-based hosting provider. Vercel serves the application frontend and processes serverless function requests. While we configure our serverless functions to execute in EU regions where possible, Vercel's global infrastructure may route certain metadata (such as IP addresses) through non-EU locations for purposes including DDoS protection and content delivery. Vercel does not permanently store your monday.com data. Please see Section 11 for details on international data transfers.

6.2 How We Protect Your Data

We implement appropriate technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS/HTTPS)
  • Encryption of sensitive data at rest
  • Secure OAuth token storage
  • Access controls limiting data access to authorized personnel only
  • Regular security reviews and updates
  • Use of infrastructure providers that maintain industry certifications (including SOC 2 Type 2 and ISO 27001)

While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents.

6.3 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, as required by Article 33 of the GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify affected individuals without undue delay in accordance with Article 34 of the GDPR.

7. Data Retention

  • Active accounts: We retain your synced monday.com data and account information for as long as your ReportHero subscription is active and as needed to provide the Service, including historical reporting features.
  • After uninstallation: Upon uninstallation of ReportHero from your monday.com account or upon account deletion, we will delete your synced data within 30 days, unless retention is required by applicable law.
  • OAuth tokens: Authentication tokens are revoked and deleted upon uninstallation.
  • Usage data: Aggregated, anonymized usage data may be retained indefinitely for analytics and service improvement purposes, as it cannot be linked back to any individual user.
  • Legal obligations: We may retain certain data beyond the periods stated above where required by applicable law (for example, tax or accounting obligations).

8. User Communications

We may contact you for the following purposes:

  • Essential communications: Service outages, security alerts, breaking changes, account and billing notifications. These cannot be opted out of while your account is active.
  • Non-essential communications: Product updates, new feature announcements, feedback requests, surveys, and usage tips. You may opt out of these at any time by contacting us at iulian@reporthero.app or following the unsubscribe instructions included in those communications.

9. Data Sharing and Third Parties

9.1 When We Share Data

We do not sell your data. We may share your data only in the following limited circumstances:

  • Infrastructure providers (sub-processors): With trusted hosting and cloud service providers who process data on our behalf. These providers act as data processors under appropriate data processing agreements. Our current sub-processors are listed in Section 9.2.
  • monday.com API: Your data is accessed through the monday.com API; your use of monday.com is governed by monday.com's own privacy policy and terms of service.
  • Legal requirements: When required by law, regulation, legal process, or enforceable governmental request.
  • Business transfers: In connection with a merger, acquisition, or sale of assets, in which case you will be notified in advance of any change in data controller and given the opportunity to have your data deleted.

9.2 Sub-processors

We use the following third-party sub-processors to provide the Service:

| Sub-processor | Purpose | Location | | ---------------------- | ------------------------------------------------ | ------------------------------------------------- | | Supabase (via AWS) | Database hosting and data storage | EU (Ireland, eu-west-1) | | Vercel | Web application hosting and serverless functions | US-based, with EU edge locations (see Section 11) | | monday.com | Source platform API integration | As per monday.com's privacy policy |

We will update this list if our sub-processors change and will notify active users of any material changes. You may contact us at iulian@reporthero.app for the most current list.

9.3 Third-Party Services

ReportHero integrates with monday.com through its public API. We encourage you to review monday.com's privacy policy for information on how they handle your data. We are not responsible for the privacy practices of monday.com or any other third-party services.

10. Your Rights

10.1 Rights Under GDPR

If you are located in the EEA, the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

  • Right of access (Article 15): Request a copy of the personal data we hold about you
  • Right to rectification (Article 16): Request correction of inaccurate or incomplete data
  • Right to erasure (Article 17): Request deletion of your personal data, subject to legal retention obligations
  • Right to restriction of processing (Article 18): Request that we restrict processing of your data in certain circumstances
  • Right to data portability (Article 20): Request your data in a structured, commonly used, machine-readable format
  • Right to object (Article 21): Object to processing based on legitimate interests or for direct marketing purposes
  • Right to withdraw consent (Article 7(3)): Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing

10.2 Exercising Your Rights

To exercise any of these rights, please contact us at iulian@reporthero.app. We will respond to your request within one month, as required by Article 12 of the GDPR. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests, in which case we will inform you of the extension within the first month. We may ask you to verify your identity before processing your request.

There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

10.3 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. If you are based in Spain or your data is processed in Spain, the relevant authority is:

Agencia Española de Protección de Datos (AEPD) Website: www.aepd.es

You also have the right to lodge a complaint with the supervisory authority in your country of habitual residence or place of work.

11. International Data Transfers

Your monday.com data is stored in the EU (Ireland). However, because we use Vercel, a US-based hosting provider, certain data may be transferred to or processed in the United States as part of application delivery. This includes transient processing of request metadata (such as IP addresses) through Vercel's global infrastructure.

For any transfer of personal data outside the EEA, we rely on the following safeguards as permitted under Chapter V of the GDPR:

  • EU-US Data Privacy Framework (DPF): Vercel is certified under the EU-US Data Privacy Framework, which has been recognized by the European Commission as providing adequate protection for personal data transferred from the EU to certified US organizations (Adequacy Decision of July 10, 2023).
  • Standard Contractual Clauses (SCCs): Where applicable, we enter into Standard Contractual Clauses approved by the European Commission with our sub-processors.
  • Data Processing Agreements (DPAs): We maintain data processing agreements with our sub-processors that include appropriate data protection obligations.

We do not transfer your monday.com data (board data, items, user information) outside the EU for storage. Such data remains in our Supabase database in Ireland.

12. Children's Privacy

ReportHero is a business tool designed for professional use. The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected data from a child under 16, we will take steps to delete that information promptly. If you believe we have collected information from a child, please contact us at iulian@reporthero.app.

13. Cookies and Tracking Technologies

ReportHero operates as an embedded monday.com application. We do not use cookies for tracking or advertising purposes. We do not use third-party analytics, advertising, or tracking cookies.

We may use essential, strictly necessary cookies or local storage required for the App to function, such as maintaining your authenticated session. These do not require consent under Article 5(3) of the ePrivacy Directive as they are strictly necessary for the provision of the Service.

14. Automated Decision-Making

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, as described in Article 22 of the GDPR.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. If we make material changes, we will notify you by posting the updated policy within the App or via email at least 30 days before the changes take effect. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy.

We encourage you to review this policy periodically. The "Last updated" date at the bottom of this policy indicates when it was most recently revised.

16. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Name: Iulian-Andrei Oana

Email: iulian@reporthero.app

Website: reporthero.app

Last updated: February 25, 2026

PreviousTerms of Service