Privacy Policy
Privacy Policy for Morning Report
Last updated: April 29 2025
1. Introduction
Morning Report (“we,” “our,” “us”) helps marketing teams turn platform analytics into weekly AI-powered reports. Protecting your privacy is central to that mission. This policy explains what personal information and Google user data we collect, how we use it, how we protect it, and how long we keep it.
2. Information We Collect
A. Personal information you provide directly
• Name, company name and email address when you create an account or list report recipients.
• Optional details (e.g., job title, phone number) if you choose to enter them in your profile.
• Support correspondence and any files you send us.
(Passwords are never collected; authentication is handled by Bubble and Google OAuth.)
B. Google user data obtained via OAuth
Google Analytics 4 Data API (scope analytics.readonly)
– GA4 property ID and name
– Date ranges you choose
– Metrics: sessions, users, conversions, revenue, bounce rate
– Dimensions: source, medium, campaign, device, countryGoogle Ads API (scope adwords)
– Customer/account ID and descriptive name
– Campaign, ad-group and ad IDs
– Metrics: impressions, clicks, cost, conversions, conversion value, CPC, ROASGoogle Search Console API (scope webmasters.readonly)
– Verified site URL
– Search query and landing-page URL
– Clicks, impressions, average position
OAuth 2.0 refresh and access tokens to keep your connection active.
No write, modify or delete scopes are requested, and Morning Report never changes or deletes content in your Google accounts.
OAuth tokens are stored only in Bubble’s encrypted database and are never sent to Make or OpenAI.
C. Meta Marketing API (permissions ads_read, business_management, pages_show_list)
– Ad‑account ID and name (e.g., act_1545983762714306, “Ice Cream Shop”)
– Business ID and name (read‑only)
– Page ID and title of Pages you manage
– Weekly, account‑level metrics returned by the Insights endpoint: spend, impressions, clicks, reach, CTR, CPC, CPM
– OAuth access token required to retrieve those metrics
3. How We Use the Data• Provide interactive dashboards and PDF/CSV reports you request.
• Run AI models that surface trends and recommended actions.
• Email those reports to the contacts you specify.
We never use any data for advertising, profiling, resale or third-party marketing.
• Fetch Meta Ads Insights once per day to populate the “Meta Ads” section of each report. All data is read‑only; Morning Report never creates, edits, or deletes ads, campaigns, Pages, or Business settings.
4. How We Protect Your Data (Security Procedures)
Security procedures are in place to protect the confidentiality, integrity and availability of your information. We use encryption to protect your data in transit and at rest.
• Transport encryption – All traffic among your browser, Bubble servers and Make workflow runners uses TLS 1.2 or higher (HTTPS).
• Storage encryption – Personal info, Google tokens and cached report data are stored in Bubble’s PostgreSQL cluster on AWS us-east-1 with AES-256 encryption at rest; backups are encrypted the same way.
• Least-privilege access – Bubble privacy rules and server-side actions restrict data to vetted staff using VPN plus two-factor authentication; every access is logged.
• Monitoring – Automated intrusion detection plus quarterly internal vulnerability scans. Bubble’s AWS environment holds SOC 1/2/3 and ISO 27001 certifications.
• Meta OAuth tokens are stored in the same encrypted Bubble database and are never sent to Make or OpenAI.
5. Data Retention & Deletion
Morning Report stores your personal information and Google user data only for as long as needed to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. When the retention period expires for a given type of data, we delete or destroy it.• OAuth tokens – Deleted within 24 hours after you disconnect a platform or after 90 days of account inactivity, whichever comes first.
• Aggregated report data – Retained for 90 days so you can see historical trends; automatically purged after that or sooner upon request.
• Account profile and contact info – Kept until you delete your Morning Report account or request deletion.You may request deletion of any or all data at any time by emailing support@morningreport.io; we will complete and confirm the deletion within 30 days.
• Meta OAuth tokens – Deleted within 24 hours after you disconnect Meta Ads or after 90 days of account inactivity, whichever comes first.
• Aggregated Meta metrics – Retained for 90 days so you can see historical trends; purged sooner upon request.
6. Your Controls
• Revoke Google access at any time: https://myaccount.google.com/permissions
• Export or delete data: email support@morningreport.io
• Edit report schedule, recipients or connected platforms in the app.
• Revoke Meta access at any time: https://www.facebook.com/settings?tab=business_tools
7. Compliance with Meta and Google Policies
Our use of Google user data complies with the Google API Services User Data Policy. Our use of Meta data complies with the Meta Platform Terms and the Marketing API Terms. Morning Report only accesses data that end‑users explicitly grant via the OAuth consent screen and never publishes content or modifies ad settings.Our use of Google user data complies with the Google API Services User Data Policy (including Limited-Use rules) and the Google Ads API Terms & Conditions. Humans do not view raw Google user data unless you request support or an investigation is legally required. Only aggregated, anonymous metrics are shared with OpenAI and Make.
We do NOT use any data obtained through Google Workspace or Google API Services to develop, improve, or train generalized AI or machine‑learning models.
8. Sub-processors
• Bubble Group, Inc. – hosts encrypted data on AWS.
• OpenAI, LLC – receives anonymised, aggregated metrics to generate narrative insights.
• Make (Celonis SE) – workflow engine that processes aggregated metrics for scheduled reports.
9. Children’s Privacy
Morning Report is not directed to children under 13 and should not be used by them.
10. Changes
Material changes are announced in-app and via email at least seven (7) days before taking effect. Continued use after that date constitutes acceptance.
11. Contact
Email support@morningreport.io with any questions or requests for export or deletion.
Last updated: April 29 2025
1. Introduction
Morning Report (“we,” “our,” “us”) helps marketing teams turn platform analytics into weekly AI-powered reports. Protecting your privacy is central to that mission. This policy explains what personal information and Google user data we collect, how we use it, how we protect it, and how long we keep it.
2. Information We Collect
A. Personal information you provide directly
• Name, company name and email address when you create an account or list report recipients.
• Optional details (e.g., job title, phone number) if you choose to enter them in your profile.
• Support correspondence and any files you send us.
(Passwords are never collected; authentication is handled by Bubble and Google OAuth.)
B. Google user data obtained via OAuth
Google Analytics 4 Data API (scope analytics.readonly)
– GA4 property ID and name
– Date ranges you choose
– Metrics: sessions, users, conversions, revenue, bounce rate
– Dimensions: source, medium, campaign, device, countryGoogle Ads API (scope adwords)
– Customer/account ID and descriptive name
– Campaign, ad-group and ad IDs
– Metrics: impressions, clicks, cost, conversions, conversion value, CPC, ROASGoogle Search Console API (scope webmasters.readonly)
– Verified site URL
– Search query and landing-page URL
– Clicks, impressions, average position
OAuth 2.0 refresh and access tokens to keep your connection active.
No write, modify or delete scopes are requested, and Morning Report never changes or deletes content in your Google accounts.
OAuth tokens are stored only in Bubble’s encrypted database and are never sent to Make or OpenAI.
C. Meta Marketing API (permissions ads_read, business_management, pages_show_list)
– Ad‑account ID and name (e.g., act_1545983762714306, “Ice Cream Shop”)
– Business ID and name (read‑only)
– Page ID and title of Pages you manage
– Weekly, account‑level metrics returned by the Insights endpoint: spend, impressions, clicks, reach, CTR, CPC, CPM
– OAuth access token required to retrieve those metrics
3. How We Use the Data• Provide interactive dashboards and PDF/CSV reports you request.
• Run AI models that surface trends and recommended actions.
• Email those reports to the contacts you specify.
We never use any data for advertising, profiling, resale or third-party marketing.
• Fetch Meta Ads Insights once per day to populate the “Meta Ads” section of each report. All data is read‑only; Morning Report never creates, edits, or deletes ads, campaigns, Pages, or Business settings.
4. How We Protect Your Data (Security Procedures)
Security procedures are in place to protect the confidentiality, integrity and availability of your information. We use encryption to protect your data in transit and at rest.
• Transport encryption – All traffic among your browser, Bubble servers and Make workflow runners uses TLS 1.2 or higher (HTTPS).
• Storage encryption – Personal info, Google tokens and cached report data are stored in Bubble’s PostgreSQL cluster on AWS us-east-1 with AES-256 encryption at rest; backups are encrypted the same way.
• Least-privilege access – Bubble privacy rules and server-side actions restrict data to vetted staff using VPN plus two-factor authentication; every access is logged.
• Monitoring – Automated intrusion detection plus quarterly internal vulnerability scans. Bubble’s AWS environment holds SOC 1/2/3 and ISO 27001 certifications.
• Meta OAuth tokens are stored in the same encrypted Bubble database and are never sent to Make or OpenAI.
5. Data Retention & Deletion
Morning Report stores your personal information and Google user data only for as long as needed to fulfill the purposes described in this policy, unless a longer retention period is required or permitted by law. When the retention period expires for a given type of data, we delete or destroy it.• OAuth tokens – Deleted within 24 hours after you disconnect a platform or after 90 days of account inactivity, whichever comes first.
• Aggregated report data – Retained for 90 days so you can see historical trends; automatically purged after that or sooner upon request.
• Account profile and contact info – Kept until you delete your Morning Report account or request deletion.You may request deletion of any or all data at any time by emailing support@morningreport.io; we will complete and confirm the deletion within 30 days.
• Meta OAuth tokens – Deleted within 24 hours after you disconnect Meta Ads or after 90 days of account inactivity, whichever comes first.
• Aggregated Meta metrics – Retained for 90 days so you can see historical trends; purged sooner upon request.
6. Your Controls
• Revoke Google access at any time: https://myaccount.google.com/permissions
• Export or delete data: email support@morningreport.io
• Edit report schedule, recipients or connected platforms in the app.
• Revoke Meta access at any time: https://www.facebook.com/settings?tab=business_tools
7. Compliance with Meta and Google Policies
Our use of Google user data complies with the Google API Services User Data Policy. Our use of Meta data complies with the Meta Platform Terms and the Marketing API Terms. Morning Report only accesses data that end‑users explicitly grant via the OAuth consent screen and never publishes content or modifies ad settings.Our use of Google user data complies with the Google API Services User Data Policy (including Limited-Use rules) and the Google Ads API Terms & Conditions. Humans do not view raw Google user data unless you request support or an investigation is legally required. Only aggregated, anonymous metrics are shared with OpenAI and Make.
We do NOT use any data obtained through Google Workspace or Google API Services to develop, improve, or train generalized AI or machine‑learning models.
8. Sub-processors
• Bubble Group, Inc. – hosts encrypted data on AWS.
• OpenAI, LLC – receives anonymised, aggregated metrics to generate narrative insights.
• Make (Celonis SE) – workflow engine that processes aggregated metrics for scheduled reports.
9. Children’s Privacy
Morning Report is not directed to children under 13 and should not be used by them.
10. Changes
Material changes are announced in-app and via email at least seven (7) days before taking effect. Continued use after that date constitutes acceptance.
11. Contact
Email support@morningreport.io with any questions or requests for export or deletion.