Security & data

How your data and your clients’ data is handled.

If you run audits on behalf of clients, their data is your responsibility — and ours. This page is the detailed version: where data lives, who can reach it, what leaves our systems, and what happens when you ask us to delete it. Where something is on the roadmap rather than shipped, it says so.

Hosting & storage: Audits, hypotheses, and metadata are stored in Supabase Postgres in the EU region. Every query carries an account-ownership filter — no account ever reads another account’s data, by construction. GA4 refresh tokens (when you connect GA4) are encrypted at rest with AES-256-GCM. Screenshots are stored per-audit, scoped to the originating account.
Encryption: Data is encrypted in transit over TLS and at rest in the database. We hold the minimum credentials needed to run an audit and nothing more.
Authentication: Authentication runs through Clerk. We don’t store passwords on our side; Clerk handles password hashing, session tokens, OAuth, and account recovery. Multi-factor authentication is available on every account.
What goes to Anthropic: The audit data — including page snapshots and your GA4 figures — passes through Anthropic’s Claude API for hypothesis generation. Anthropic does not train on data submitted to their commercial API; this is a contractual commitment, not a setting we toggle. No customer data is retained beyond the duration of the API call.
Cross-account boundary: No account ever sees another account’s raw data. The cross-client portfolio learning on the roadmap Roadmap will cross the boundary only in abstracted form — pillar, mechanism, direction of result — never the raw site, the actual numbers, or anything that identifies a client.
Your rights: You can export your audits and hypotheses at any time. Account deletion places everything into a 30-day read-only state, after which the data is permanently removed from active storage and backups.
White-label / dedicated deployment: Agencies that need data resident on their own infrastructure can do so under a white-label agreement. Talk to us about the shape of the deployment.
Security contact: Security questions, disclosures, or DPA requests: email security@hypothesisly.com.

This page describes current practice and is updated as the product changes. Roadmap items are labelled and are not live until stated otherwise.

Talk to us

Have a security review to run?

We’re happy to walk an agency principal or a security team through the specifics before you commit.

Email security