Security, privacy, and transparency

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest
• Row-level security in PostgreSQL
• Encrypted environment variables

• OAuth 2.0 / PKCE authentication flow
• JWT tokens with short expiry windows
• Secure HTTP-only session cookies
• Rate limiting on all API endpoints

• Hosted on Vercel edge network (SOC 2 Type II)
• Supabase managed PostgreSQL (SOC 2 Type II)
• Automatic HTTPS certificate management
• DDoS protection via Cloudflare

• User analysis data is never shared or sold
• Claim text processed in-session only
• No third-party analytics tracking
• Right to data deletion on request

What we collect

• •Account email and authentication credentials
• •Claims submitted for analysis (stored for your history)
• •Usage metrics for rate limiting and billing
• •Standard web server logs (IP, user agent, timestamps)

What we never collect

• •Personal health information (PHI)
• •Financial data or payment card numbers (handled by Stripe)
• •Social media accounts or browsing history
• •Location data beyond IP-derived country

Educational Purpose

All analysis output is clearly labeled as educational and not legal or regulatory advice. We recommend consulting qualified legal counsel for compliance decisions.

Source Attribution

Every signal cites its source — FDA database, ClinicalTrials.gov, PubMed, FTC filings — so you can verify independently.

Confidence Transparency

We publish confidence scores on every signal and document the calibration methodology on our Methodology page.