Trust Center
Security, privacy & compliance
Leapo handles personal data for solopreneurs across the EU. This page is the full picture of how we host, encrypt, share, and govern that data, written for partners, procurement teams, and security-curious customers.
Last updated: May 21, 2026
At a glance
- Legal entity
- Mercurio bvba (operating Leapo) · Groenstraat 299, 9041 Gent, Belgium · VAT BE 0479.444.274
- Data hosting
- Supabase (Postgres) and Vercel (compute), both in EU regions
- AI processing
- Mistral AI (Paris, France), EU-resident, no US transfer
- Encryption
- AES-256 at rest · TLS 1.3 in transit
- Primary jurisdiction
- Belgium (EU/EEA). Subject to GDPR.
- Subprocessors
- Public list with DPAs and transfer mechanisms →
- Certifications
- SOC 2 Type I, planned Q1 2027ISAE 3402 readiness, planned 2027
- Cyber insurance
- €1M policy, in procurement
- Contact
- security@leapo.app
Where we are honestly
Leapo is a small, founder-led team. We've built compliance and security-by-design from day one, fully EU-resident stack (Supabase, Vercel, and Mistral AI all in Europe), PII redaction in AI calls, documented subprocessors, GDPR rights workflows live in-product, but we are not yet SOC 2 or ISO 27001 certified. We've published our roadmap below and we're happy to commit to specific milestones in vendor contracts. If you're evaluating us for a partnership and need to see anything not on this page, email security@leapo.app.
1. Hosting & infrastructure
Customer data is hosted in the European Union. We use two primary infrastructure providers:
- Supabase (Postgres database, authentication, storage), EU region
eu-central-1(Frankfurt, Germany), running on AWS infrastructure. - Vercel(application hosting, edge compute) - serverless functions are routed to the nearest EU region by default; static assets are served from Vercel's global CDN.
All physical data centers are SOC 2 Type II, ISO 27001, and ISO 27018 certified at the infrastructure provider level (AWS).
2. Encryption
At rest:all Postgres data is encrypted using AES-256 via Supabase's storage layer (PostgreSQL transparent data encryption). Database backups are encrypted using the same standard.
In transit: TLS 1.3 (with TLS 1.2 fallback) is enforced for all connections. HSTS is enabled on leapo.app with a 12-month max-age. Internal service-to-service traffic (Vercel ↔ Supabase ↔ Stripe ↔ Mistral) is HTTPS-only.
Secrets management:environment variables (API keys, signing secrets, service-role credentials) are stored encrypted in Vercel's and GitHub's secret stores. No secrets are committed to the repository.
3. Access control
Customer-facing: Leapo uses Supabase Auth with row-level security (RLS) on every table holding user data. A user can only read or modify their own records, enforced at the database layer, not just the application layer.
Administrative:production database access is restricted to the founder (single-person team today). All admin access requires multi-factor authentication. Admin sessions are short-lived. We do not maintain a separate "ops team" with standing access.
Third-party access: none of our subprocessors have direct read access to your application data beyond what their service requires (e.g. Stripe sees billing-related data only; Mistral sees only the prompt content for the duration of the API call, see Section 5).
4. Data handling & retention
What we collect: email and name (for authentication), niche / location / business-plan answers (provided by the user, used to personalize the product), payment metadata via Stripe (we never see card numbers), activity logs for product analytics.
What we don't collect:we do not collect sensitive special-category data (health, biometric, religious, political). If a user types something special-category into a free-text field, we recommend they don't, and we minimize its onward transmission to subprocessors (see Section 5).
Retention: account data is retained for the lifetime of the account. On deletion (Section 6), it is purged from the primary database within 30 days. Encrypted backups containing the data are retained for an additional 30 days, then permanently destroyed.
5. AI processing (Mistral, EU)
Leapo uses Mistral AI, a French AI company headquartered in Paris, to power the AI Coach, AI Lead Engine, and Launch Kit generators. All AI processing happens within the EU, so personal data never leaves the European Economic Area:
- Data sent:niche, city, business-plan summary, and the user's current question. Personal identifiers (name, embedded emails, phone numbers) are redacted before send, see
lib/security/pii.tsfor the implementation. - Training opt-out:Mistral's API does not use customer prompts to train models, confirmed in their terms and DPA.
- Retention at Mistral: API request data is retained for short-term abuse monitoring then permanently deleted. No long-term storage.
- Transfer mechanism: none required. Mistral is a French (EU) data controller, your prompts never cross EU borders. No SCCs, no Transfer Impact Assessment, no Schrems II conversation needed.
- Fallback: if Mistral has an outage, our factory automatically routes to OpenAI (US) as a kill-switch under SCCs. This is operational, not the default path.
6. GDPR rights
Users can exercise the following rights at any time via privacy@leapo.app or in-app where indicated:
- Right of access (Art. 15), request a copy of all data we hold about you
- Right to rectification (Art. 16), most fields are user-editable directly in account settings
- Right to erasure (Art. 17), request full account deletion; we propagate the request to subprocessors
- Right to data portability (Art. 20), receive your data in machine-readable JSON
- Right to object (Art. 21), opt out of processing based on legitimate interest
- Right to lodge a complaint with your supervisory authority (Belgium: Autorité de Protection des Données / Gegevensbeschermingsautoriteit)
Standard response SLA: 30 days from receipt, in line with GDPR Art. 12(3). We confirm receipt within 72 hours.
7. Subprocessors
Every third-party service that processes user data on our behalf is listed publicly, with its purpose, country, and applicable data-protection mechanism:
View full subprocessor list →
We notify partners of new subprocessors before they go live, via this page and (for contracted B2B customers) email.
8. Incident response
We maintain a written incident response plan covering detection, containment, eradication, recovery, and post-mortem. Key commitments:
- Detection: Sentry monitors runtime errors; Supabase logs surface anomalous database queries; Stripe webhooks alert on failed payment patterns.
- Notification SLA: if a personal-data breach occurs, we notify the supervisory authority within 72 hours (GDPR Art. 33) and affected users without undue delay (Art. 34).
- Partner notification: B2B partners are notified within 24 hours of confirmed incidents affecting their users, with an initial scope assessment.
9. Backups & disaster recovery
Backups: Supabase performs daily point-in-time recovery snapshots of the production database, retained for 7 days on Pro plan and 30 days on Team plan. Backups are encrypted and stored in the same EU region as the primary database.
RTO / RPO: our target Recovery Time Objective is 4 hours and Recovery Point Objective is 24 hours. These are best-effort targets, not contractually guaranteed today. We offer formal SLAs to B2B partners as part of contract negotiation.
Provider-level redundancy: AWS (underlying Supabase) and Vercel both operate multi-AZ infrastructure within EU regions, providing resilience against single-data-center failures.
10. Certifications & roadmap
We're not certified today. We've committed to the following milestones:
| Milestone | Target | Status |
|---|---|---|
| PII minimization in LLM calls | Q2 2026 | Active |
| EU-hosted LLM (Mistral AI, Paris) | Q2 2026 | Active |
| GDPR data export + delete (Art. 15 + 17) | Q2 2026 | Active |
| Cyber insurance €1M policy | Q3 2026 | In procurement |
| Penetration test (Belgian firm) | Q4 2026 | Planned |
| SOC 2 Type I | Q1 2027 | Planned |
| SOC 2 Type II | Q4 2027 | Planned |
| ISAE 3402 Type I (Belgian market) | 2027 | Planned |
Roadmap items are good-faith targets, not contractual commitments unless written into a specific customer agreement.
11. Downloadable documents
For procurement teams: standard documents you'll want for a vendor review.
One-page summary answering "is your platform GDPR-compliant?" Controller info, lawful bases, subject rights, transfers, breach notification. Print-ready.
GDPR Art. 28 template, ready to sign. Names Leapo as processor and includes SCCs annex.
Pre-filled vendor security questionnaire covering governance, IAM, encryption, BC/DR, incident response.
Public, 5-language. Covers what data we collect, why, how long, and your rights.
The legal agreement governing use of the Leapo product.
12. Contact
Security questions
security@leapo.appVulnerability reports, vendor reviews, partnership-related security questions.
Privacy / GDPR requests
privacy@leapo.appData subject access, deletion, portability, and rectification requests.
For responsible disclosure of security vulnerabilities: please email security@leapo.app with a description of the issue and steps to reproduce. We commit to acknowledging within 72 hours and will not take legal action against good-faith researchers who follow standard disclosure practice.