Private beta Join the waitlist →
Security & GDPR

Your client data,
treated like our own.

We process sensitive business data (revenue, ad spend, conversions) from your marketing tools. Here’s what we actually do to protect it, no jargon.

Hosting & infrastructure

100% in Europe

Database and storage on Supabase, Ireland region (eu-west-1). No replication to the United States. Backups stay in Europe.

Postgres + Row-Level Security

Every row in the database is protected by a Row-Level Security policy at the Postgres level: impossible for a user to access a workspace that isn’t theirs, even in case of an application bug.

Encrypted OAuth tokens

Access tokens for your connectors (GA4, Meta Ads, Google Ads…) are stored encrypted via Supabase Vault. Never logged, never displayed in plaintext, never transmitted outside the server process.

HTTPS everywhere

TLS 1.2+ on all domains (app, api, smartanalyst.io). Strict security headers (HSTS, CSP, X-Frame-Options). Cookies set HttpOnly + Secure + SameSite=Strict.

GDPR, concretely

Explicit consent

At signup, consent checkboxes are unchecked by default. You enable what you want, when you want. Every consent is timestamped and kept.

Right to be forgotten

Request account deletion? We process it in under 30 days. Immediate soft-delete, personal data anonymization, identifier purge.

Data export

At any moment, you can export all your data (insights, reports, metrics) in JSON format. No lock-in.

Complete audit trail

Every sensitive action (login, tool connection, report sent, plan change) is logged with user, timestamp, IP and user-agent. Available to you on request.

What we don’t do

No data reselling

Your data is never sold, never used to train a general-purpose AI model, never shared with a third party without your explicit consent.

No third-party tracking

No Google Analytics, no Meta Pixel, no Hotjar on authenticated spaces. We use Plausible (European analytics, cookieless) on public pages.

No human access to your data

Our team never accesses your workspace content, unless you explicitly authorize us to for a support ticket. Access is logged and revocable.

AI & confidentiality

SmartAnalyst uses Anthropic Claude models (Sonnet and Haiku) to generate insights and answers. Anthropic contractually commits to:

  • not train its models on requests sent through our API;
  • retain requests for a maximum of 30 days for operational security, then delete them;
  • not share content with third parties.

We only transmit to the AI the metrics needed for the question asked, never personal identifiers (email, name, address). The AI talks to our canonical metrics schema, not to your raw data.

Subprocessors & DPA

The full list of our subprocessors, their role and hosting region, per GDPR Article 28.

Subprocessor Role Hosting DPA signed
Supabase Database + auth + storage Ireland (eu-west-1)
Anthropic AI models (Claude) United States (zero data retention)
Stripe Payments Ireland (EU entity)
Resend Transactional email Europe
Hostinger Marketing site hosting Europe

A question, an incident, a report?

Email us at security@smartanalyst.io. For vulnerability reports, we commit to a first reply within 48 business hours.