Skip to main content

Security & privacy

What we store, where we store it, who can read it, and how to report a vulnerability.

Where your data lives

  • Database (Supabase, EU region): your account, study progress, private notes, AI usage logs. Encrypted at rest, accessed only via row-level security policies that block any user from reading another user’s rows.
  • Hosting (Vercel, EU region): site code and serverless functions. TLS 1.3 in transit, HSTS preloaded, strict CSP, frame-ancestors locked.
  • Payments (Stripe): card details never touch our servers. Stripe is PCI-DSS Level 1 certified. We store only Stripe customer + subscription IDs.
  • AI processing (Anthropic): your tutor messages and brief-generation prompts are sent to Anthropic’s Claude API for inference and not retained for training. Source judgments come from The National Archives.
  • Email (Loops): transactional and onboarding email. Unsubscribe respected, processor under DPA.
  • Analytics: Vercel Web Analytics — cookieless, IP-anonymised.

Backups & resilience

  • Nightly database snapshot via Supabase managed backups (7-day retention on Free tier; point-in-time-recovery on Pro).
  • Independent nightly off-site dump via GitHub Actions, retained 90 days — an isolated second copy in case of vendor lock-out.
  • Production code is in a private GitHub repo, deployed atomically by Vercel with one-click rollback.

What you can do

  • Use a strong password on your account, and enable Google or magic-link sign-in if you prefer not to manage one.
  • Export your data from /settings at any time (DSAR self-serve).
  • Delete your account from /settings — cascades all your data, no retention.
  • See the full Privacy Policy for legal-bases, retention periods, and processor list.

Reporting a vulnerability

If you find a security issue, please email [email protected]. We commit to:

  • Acknowledging receipt within 48 hours.
  • Triaging and responding with a fix plan within 7 days.
  • Crediting the reporter (with permission) once the fix is shipped.
  • Not pursuing legal action against good-faith research conducted under our policy below.

Safe-harbour testing rules

  • Only test against your own account.
  • Don’t exfiltrate data, run destructive payloads, or impact other users.
  • Don’t spam, social-engineer staff, or test physical security or third-party processors.
  • Don’t publicly disclose before we’ve had a reasonable window to ship a fix (typically 90 days).

See /.well-known/security.txt for machine-readable contact details.