How we store your data
Your contracts, slip log, and the witness name (if you provided one) live in two places: a local cache in your browser, and the primary Postgres database on Supabase (us-east-1). The database is encrypted at rest with AES-256, managed by Supabase. We don’t use end-to-end encryption with user-held keys today; the encryption is server-managed. If we ever serve sectors that need user-held keys, we’ll revisit and announce it.
All traffic between your browser, the extension, and our servers uses TLS 1.3. We don’t serve any content over plain HTTP. HSTS is enabled with a two-year max-age and includes the preload list. The site sets a strict Content-Security-Policy, a deny-by-default Permissions-Policy, and refuses to be framed (X-Frame-Options: DENY). Violations of these headers are reported to a first-party endpoint at /api/csp-report, where we collect and act on them. Logs rotate on a 7-day window.
What we don’t store
We don’t log your browsing history. The only sites we record are the ones you’ve told us to intercept — and only because we have to in order to do that job. The extension does not phone home with anything beyond that scope.
We don’t store raw card numbers. Payments are processed by Paddleas Merchant of Record. Paddle is PCI-DSS Level 1 certified and is the legal seller for slip charges; we receive only the charge outcome (paid, failed, disputed, refunded) and Paddle’s opaque reference.
Authentication
Accounts use email magic links. You receive a one-time link that signs you in for the session; there’s no password to remember, log, or breach. Sessions are managed by Supabase Auth; we never see or store the magic link tokens after they’re used.
Disclosure policy
We welcome reports from security researchers. If you find something:
Email [email protected] with the details. PGP-encrypted reports are welcome — key below. Please don’t share publicly until we’ve had a chance to triage.
Our response targets: we acknowledge within 24 hours, complete triage within 5 business days, and share a fix or mitigation plan within 7 days for critical issues, 30 days for high-severity, and 90 days for moderate. The full disclosure policy lives in SECURITY.md.
We don’t pursue legal action against researchers who act in good faith, do not access user data beyond what’s needed to demonstrate the issue, and give us reasonable time to fix it before disclosure.
PGP key
PGP-encrypted reports are accepted on request. Email [email protected] asking for the current public key; we’ll send it in-thread and post the fingerprint here once it’s been distributed.
Hall of fame
When the product is bigger, this section will list the researchers who made it safer. For now: we’d be grateful to put your name here first.
Compliance
GDPR & CCPA. You can request access, export, or deletion of your data at any time. The full list of statutory rights, response windows, and the channels to invoke each one is on the privacy page. For now, email [email protected] and we’ll handle the request within the legal window.
Sub-processors.Supabase (database, auth, Realtime — AWS us-east-1), Resend (outbound email — AWS us-east-1), Paddle (payments, UK), Cloudflare (DNS, edge, email routing), Hetzner (EU marketing-site origin), GitHub (source & CI), Plausible (anonymous marketing analytics, dormant). Transfers to US processors are covered by the EU–US Data Privacy Framework and Standard Contractual Clauses. The complete sub-processor table with purposes is on the privacy page. Any change is announced before it takes effect.
Incident response
If a breach happens, we notify all affected users within 72 hours of confirmation, in plain English, with the scope, the cause, and what we’re doing about it. No legal-speak press release.