Security & Trust Center
Two questions every business owner should ask before trusting any software with their data: Is my data safe? And who can see it? Here are our answers.
Last updated February 2026
Is my data safe?
Security is not a checkbox — it is layered. Here is every layer protecting your data from the moment you open the app to the moment it is stored on disk.
All connections use HTTPS with TLS 1.3. Strict Transport Security (HSTS) is enforced so your browser never falls back to plain HTTP.
Passwords are hashed using bcrypt and never stored in plaintext. Authentication is managed by Supabase Auth with short-lived session tokens that are rotated automatically.
Row-Level Security is enforced at the database layer. Even if application code had a bug, the database itself refuses to return another user's data.
Data is stored in Supabase (Postgres) hosted on AWS. All data at rest is encrypted using AES-256. Backups are encrypted and retained for recovery.
Security Controls Checklist
Who can see my data?
Data visibility is controlled by strict policies, not just application-level code. Here is exactly who has access to what.
Only you can see your data
Row-Level Security policies are applied to every table. The database rejects any query that tries to read data belonging to a different user, even if the request appears to come from our own backend.
Advisors see only what you invite them to
If you are on the Advisory tier, advisors are granted access only to the specific companies they have been explicitly invited to. No blanket visibility exists.
Sensitive access is logged
Every time AI coaching content, assessments, or owner insights are accessed — whether by you or an advisor — an immutable log entry is created. You can view your complete audit trail in your account settings.
Payment data never touches our servers
All payment processing is handled exclusively by Stripe. We store only a Stripe customer ID and subscription status. Your card number is never transmitted to or stored on our systems.
You can delete everything
You have the right to request permanent deletion of all your data at any time. Visit Settings → Data & Privacy to submit a deletion request. All data, including audit logs, is purged within 30 days.
No silent admin access
Administrative access to the platform is restricted to essential operations only, and access to user data by any team member is governed by the same audit log that is visible to you.
How AI features handle your data
Personalized coaching and AI-generated insights are powered by OpenAI's GPT-4o API. Here is exactly what happens with your data when you use these features.
Data is not used for training
Per our Data Processing Agreement with OpenAI, all API data is excluded from model training. Your business strategy, assessments, and coaching conversations are never used to improve their models.
Requests are completely isolated
Each API request is processed in isolation. There is no mechanism through which another API customer could access your data. OpenAI does not share data between customers.
Enhanced Privacy Mode available
An opt-in setting that anonymizes your company name, competitor names, and website URLs before they leave our servers. Enable it in Settings under Data & Privacy.
Consent required before use
AI features are not activated until you explicitly acknowledge the data processing disclosure. You can revoke consent at any time from your account settings.
Frequently asked questions
Your personal audit trail
Every time sensitive data in your account is accessed — AI coaching, assessments, insights — a log entry is recorded. This log is visible only to you, and you can review it at any time from your account settings. If anything looks unfamiliar, our support team is here to help.
Still have questions?
We are happy to answer specific questions about how your data is handled.
Contact support