Encrypted in transit and at rest
TLS 1.2+ on every endpoint, AES-256 at rest. Database, object storage and backups inherit the same encryption posture.
Security & trust
Brand visibility data, handled like brand-strategy data.
Your prompts and answers are competitively sensitive. We treat them that way — EU-hosted, encrypted, isolated per account, and never used to train any model.
Six commitments, on every plan.
Free, Pro and Enterprise customers all get the same security posture. Enterprise adds contractual depth (DPA/MSA, SSO, custom retention) but the controls are identical.
Tenant isolation by row-level security
Every customer-data table is gated by Postgres row-level security on the authenticated user’s id. Cross-tenant reads are structurally impossible from the client API.
No model training on your data
We never train third-party or proprietary models on your account data. Prompts go to providers (OpenAI, Anthropic, Google, Perplexity) only to obtain answers for your visibility report.
EU-hosted, GDPR-compliant
Hosting and primary data processing inside the European Union. We process personal data lawfully under GDPR, support data-subject rights, and maintain a register of processing activities.
Modern auth with revocable sessions
Email + password, magic-link, and Google OAuth. Sessions are revocable from any device. SSO is available on the Enterprise plan.
Resilient infrastructure
Managed Postgres with point-in-time recovery, queue-backed background workers with dead-letter handling, and external monitoring on every critical path.
Data lifecycle, end to end.
Plain-language summary of what we store, how long, and what you can do about it. Full legal text lives in the Privacy Policy and Terms.
What we store
Your account profile, brands, prompts, runs, model responses, parsed mentions, generated recommendations, daily visibility snapshots and API keys. Stripe customer ID is stored — card details are not.
How long we keep it
Account data is retained for as long as your account is active. After account deletion, primary records are removed within 30 days; encrypted backups age out within 90 days.
Your rights under GDPR
Access, rectification, erasure, portability and objection. Email [email protected] — we respond within 30 days, faster on the Enterprise plan.
Incident response
Security incidents are triaged within hours and disclosed to affected customers within 72 hours of confirmation, in line with GDPR Article 33. Email [email protected] to report a vulnerability.
Subprocessors.
The vendors we entrust with parts of the service. We pick partners that match our GDPR posture and enforce data-processing agreements with each.
| Vendor | Purpose | Region |
|---|---|---|
| Supabase (managed Postgres + Auth) | Primary database, authentication, file storage | EU (Frankfurt) |
| Cloudflare Pages | Marketing site CDN | Global edge |
| Stripe | Subscription billing & invoicing | EU + US |
| Resend | Transactional email delivery | EU + US |
| OpenAI, Anthropic, Google, Perplexity | LLM API providers — prompts forwarded on your behalf to obtain answers | Provider regions |
| Google Analytics | Privacy-respecting marketing analytics (anonymized IP) | EU |
Material changes to the subprocessor list are announced with at least 14 days’ notice via email and on this page. Email [email protected] to request the most recent DPA-aligned version of the list.
Report a vulnerability.
We welcome responsible disclosure. Email [email protected] with reproduction steps. We acknowledge within one business day, triage within five, and disclose post-fix where appropriate. We don’t pursue good-faith researchers.
Procurement-ready when you are.
Need a custom DPA, security questionnaire response or vendor review? Reach out — most enterprise reviews complete in under two weeks.